[Bro] When is the file hash value available for the X509 certificate?
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Dec 5 12:18:03 PST 2018
Hey!
I think this is a question mostly for Johanna, but feel free to to pitch in :)
I discovered recently, that over 70% (!!) of my files.log are for X509
certificates. I decided to stop logging events to files.log where the
MIME type is anything that smells like a X509 and that cut down my
SIEM intake by not less than 20%
The only downside I see is now I do not have the file hash of the X509
certificate logged.
I tried several approaches but I cannot find a way to consistently
access the X509 file hash value before the X509 record is written to
the log.
Ideally I would just add that hash to the x509 as an extra field and
have the best of both worlds (and possibly the fuid as well).
Is that something that can be even done?
--
M.
More information about the Bro
mailing list