[Bro] When is the file hash value available for the X509 certificate?

Johanna Amann johanna at icir.org
Wed Dec 5 13:55:01 PST 2018


That should be completely reliable.

Johanna


On 5 Dec 2018, at 13:53, Johanna Amann wrote:

> That should be completely reliable.
>
> Johanna
>
> On 5 Dec 2018, at 13:20, Michał Purzyński wrote:
>
>> One more thing
>>
>> I created this script and it seems to work -
>> http://try.bro.org/#/trybro/saved/283934
>>
>> Can I get some feedback, how reliable it will be? It does seem to 
>> work on a
>> single production sensor.
>>
>>
>>
>> On Wed, Dec 5, 2018 at 3:18 PM Michał Purzyński 
>> <michalpurzynski1 at gmail.com>
>> wrote:
>>
>>> Hey!
>>>
>>> I think this is a question mostly for Johanna, but feel free to to 
>>> pitch
>>> in :)
>>>
>>> I discovered recently, that over 70% (!!) of my files.log are for 
>>> X509
>>> certificates. I decided to stop logging events to files.log where 
>>> the
>>> MIME type is anything that smells like a X509 and that cut down my
>>> SIEM intake by not less than 20%
>>>
>>> The only downside I see is now I do not have the file hash of the 
>>> X509
>>> certificate logged.
>>>
>>> I tried several approaches but I cannot find a way to consistently
>>> access the X509 file hash value before the X509 record is written to
>>> the log.
>>>
>>> Ideally I would just add that hash to the x509 as an extra field and
>>> have the best of both worlds (and possibly the fuid as well).
>>>
>>> Is that something that can be even done?
>>>
>>> --
>>> M.
>>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list