[Bro] Trying to get a simple detection on certificate hashes to fire
Azoff, Justin S
jazoff at illinois.edu
Thu Mar 1 05:48:11 PST 2018
> On Mar 1, 2018, at 6:08 AM, Mike Eriksson <mike at swedishmike.org> wrote:
>
> The hashes I'm using are taken from my x509.log - just to make sure that I tested against something that comes up quite a lot in our environment. I've been using data from the field 'serial' - since there is no actual field called 'hash' in either x509.log or known_certs.
>
> Have I been using the wrong identifier or is there some 'hash all certs' setting somewhere that I've missed?
Ah.. that is where you went wrong.. The hashes for certs end up in files.log (with all other files).
It could make sense for it to be in the x509 or known certs log. I know there was some talk about re-doing that log file to be more useful and less verbose.
In any case, if you have a cert of interest in the x509.log, you can use the 'id' column to find the corresponding file record in the files.log
The files.log has the sha1 column which is the hash you would add to the intel file.
If you wanted to see how it is implemented,
https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/x509.bro
is what produces all the intel data from certs.
—
Justin Azoff
More information about the Bro
mailing list