[Bro] When is the file hash value available for the X509 certificate?
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Dec 5 13:20:50 PST 2018
One more thing
I created this script and it seems to work -
http://try.bro.org/#/trybro/saved/283934
Can I get some feedback, how reliable it will be? It does seem to work on a
single production sensor.
On Wed, Dec 5, 2018 at 3:18 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:
> Hey!
>
> I think this is a question mostly for Johanna, but feel free to to pitch
> in :)
>
> I discovered recently, that over 70% (!!) of my files.log are for X509
> certificates. I decided to stop logging events to files.log where the
> MIME type is anything that smells like a X509 and that cut down my
> SIEM intake by not less than 20%
>
> The only downside I see is now I do not have the file hash of the X509
> certificate logged.
>
> I tried several approaches but I cannot find a way to consistently
> access the X509 file hash value before the X509 record is written to
> the log.
>
> Ideally I would just add that hash to the x509 as an extra field and
> have the best of both worlds (and possibly the fuid as well).
>
> Is that something that can be even done?
>
> --
> M.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181205/9dc8329a/attachment.html
More information about the Bro
mailing list