[Bro] Trying to get a simple detection on certificate hashes to fire
Mike Eriksson
mike at swedishmike.org
Thu Mar 1 03:08:17 PST 2018
Hi all,
I'm trying to create, what I assume should be, a simple detection and
notification based on certificate hashes. Sadly I seem to have gotten
something very wrong - since it doesn't fire at all.
What I've done is that I've created a file named certstream.bro with the
following content:
<- Cut ->
@load base/frameworks/intel
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/usr/local/bro/share/site/certstream/intel.dat"
};
<- Cut ->
I load this file from local.bro with no errors or complaints, it shows up
in loaded_scripts.log and all that.
The file I reference as my 'Intelligence file' looks as follows:
<- Cut ->
#fields indicator indicator_type meta.source meta.do_notice
7B00009ACF21C67564F1AC3C31000000009ACF Intel::CERT_HASH certstream
Stolen hash from the x509 log T
0551B592FA53CF2052B8B70F275CC159 Intel::CERT_HASH certstream
Stolen hash from the x509 log T
2AA9E2483E8C62DF0037D183 Intel::CERT_HASH certstream Stolen
hash from the x509 log T
<- Cut ->
The hashes I'm using are taken from my x509.log - just to make sure that I
tested against something that comes up quite a lot in our environment. I've
been using data from the field 'serial' - since there is no actual field
called 'hash' in either x509.log or known_certs.
Have I been using the wrong identifier or is there some 'hash all certs'
setting somewhere that I've missed?
As always - grateful for any tips or pointers.
Thanks in advance, Mike
--
website: http://swedishmike.org
twitter: https://twitter.com/swedishmike
github: http://github.com/swedishmike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180301/9bd1dd8f/attachment.html
More information about the Bro
mailing list