[Bro] Disable some type of "alerts" for internal servers
C.L. Martinez
carlopmart at gmail.com
Sun Mar 15 10:15:46 PDT 2015
On 03/15/2015 05:06 PM, C.L. Martinez wrote:
>
>
> On 03/13/2015 02:40 PM, Siwek, Jon wrote:
>>
>>> On Mar 13, 2015, at 6:46 AM, C.L. Martinez <carlopmart at gmail.com> wrote:
>>>
>>> Hi all,
>>>
>>> I am receiving a lot alerts like this:
>>>
>>> Bro SSL::Invalid_Server_Cert. 172.16.129.8 (Unknown):3040 ->
>>> 172.17.0.130 (Unknown):1610
>>>
>>> which it is correct: we are using a lot of certs auto-signed in our
>>> infrastructure.
>>>
>>> Is it possible to disable this type of alert for an IP or a group
>>> of IP's?
>>
>> A script like this may do what you want:
>>
>> const invalid_ssl_whitelist: set[addr] = {
>> # Add IPs here
>> } &redef;
>>
>> hook Notice::policy(n: Notice::Info)
>> {
>> if ( n$note == SSL::Invalid_Server_Cert &&
>> n$conn$id$resp_h in invalid_ssl_whitelist )
>> # Clear all actions for this notice.
>> n$actions = Notice::ActionSet();
>> }
>>
>> You can probably also add logic to filter only if the reason it’s
>> invalid is due to self-signing (e.g. as opposed to expired) by
>> inspecting n$msg.
>>
>> Some related docs to reference:
>>
>> https://www.bro.org/sphinx/frameworks/notice.html
>>
>> - Jon
>>
>
> Many thanks Jon,
>
> But I am doing something wrong. When I launch "bro check", I receive
> the following error:
>
> bro scripts failed.
> error in /data/config/etc/bro/policy/custom.bro, line 24: unknown
> identifier SSL::Invalid_Server_Cert, at or near "SSL::Invalid_Server_Cert"
>
> Actually:
>
> # Disable SSL::Invalid_Server_Cert alert for internal hosts
> const invalid_ssl_whitelist: set[addr] = {
> 10.19.0.12
> } &redef;
>
> hook Notice::policy(n: Notice::Info)
> {
> if ( n$note == SSL::Invalid_Server_Cert &&
> n$conn$id$resp_h in invalid_ssl_whitelist )
> # Clear all actions for this notice.
> n$actions = Notice::ActionSet();
> }
>
> # This script logs which scripts were loaded during each run.
> @load misc/loaded-scripts
Ok, problem solved. Forget it. Sorry for this last post.
More information about the Bro
mailing list