[Bro] Disable some type of "alerts" for internal servers

C.L. Martinez carlopmart at gmail.com
Sun Mar 15 10:15:46 PDT 2015 


On 03/15/2015 05:06 PM, C.L. Martinez wrote:
>
>
> On 03/13/2015 02:40 PM, Siwek, Jon wrote:
>>
>>> On Mar 13, 2015, at 6:46 AM, C.L. Martinez <carlopmart at gmail.com> wrote:
>>>
>>> Hi all,
>>>
>>>   I am receiving a lot alerts like this:
>>>
>>>   Bro SSL::Invalid_Server_Cert. 172.16.129.8 (Unknown):3040 ->
>>> 172.17.0.130 (Unknown):1610
>>>
>>>   which it is correct: we are using a lot of certs auto-signed in our
>>> infrastructure.
>>>
>>>   Is it possible to disable this type of alert for an IP or a group
>>> of IP's?
>>
>> A script like this may do what you want:
>>
>> const invalid_ssl_whitelist: set[addr] = {
>>      # Add IPs here
>> } &redef;
>>
>> hook Notice::policy(n: Notice::Info)
>>      {
>>      if ( n$note == SSL::Invalid_Server_Cert &&
>>           n$conn$id$resp_h in invalid_ssl_whitelist )
>>          # Clear all actions for this notice.
>>          n$actions = Notice::ActionSet();
>>      }
>>
>> You can probably also add logic to filter only if the reason it’s
>> invalid is due to self-signing (e.g. as opposed to expired) by
>> inspecting n$msg.
>>
>> Some related docs to reference:
>>
>> https://www.bro.org/sphinx/frameworks/notice.html
>>
>> - Jon
>>
>
> Many thanks Jon,
>
>   But I am doing something wrong. When I launch "bro check", I receive
> the following error:
>
> bro scripts failed.
>     error in /data/config/etc/bro/policy/custom.bro, line 24: unknown
> identifier SSL::Invalid_Server_Cert, at or near "SSL::Invalid_Server_Cert"
>
>   Actually:
>
> # Disable SSL::Invalid_Server_Cert alert for internal hosts
> const invalid_ssl_whitelist: set[addr] = {
>          10.19.0.12
> } &redef;
>
> hook Notice::policy(n: Notice::Info)
>          {
>          if ( n$note == SSL::Invalid_Server_Cert &&
>                  n$conn$id$resp_h in invalid_ssl_whitelist )
>                  # Clear all actions for this notice.
>                  n$actions = Notice::ActionSet();
>          }
>
> # This script logs which scripts were loaded during each run.
> @load misc/loaded-scripts

Ok, problem solved. Forget it. Sorry for this last post.

More information about the Bro mailing list