[Bro] Trying to get a simple detection on certificate hashes to fire
Mike Eriksson
mike at swedishmike.org
Thu Mar 1 06:02:49 PST 2018
Justin,
Many thanks for that - looking in all the wrong places for the right things
as usual. ;)
Cheers, Mike
On Thu, Mar 1, 2018 at 1:48 PM Azoff, Justin S <jazoff at illinois.edu> wrote:
>
> > On Mar 1, 2018, at 6:08 AM, Mike Eriksson <mike at swedishmike.org> wrote:
> >
> > The hashes I'm using are taken from my x509.log - just to make sure that
> I tested against something that comes up quite a lot in our environment.
> I've been using data from the field 'serial' - since there is no actual
> field called 'hash' in either x509.log or known_certs.
> >
> > Have I been using the wrong identifier or is there some 'hash all certs'
> setting somewhere that I've missed?
>
> Ah.. that is where you went wrong.. The hashes for certs end up in
> files.log (with all other files).
>
> It could make sense for it to be in the x509 or known certs log. I know
> there was some talk about re-doing that log file to be more useful and less
> verbose.
>
> In any case, if you have a cert of interest in the x509.log, you can use
> the 'id' column to find the corresponding file record in the files.log
>
> The files.log has the sha1 column which is the hash you would add to the
> intel file.
>
> If you wanted to see how it is implemented,
>
>
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/x509.bro
>
> is what produces all the intel data from certs.
>
>
> —
> Justin Azoff
>
> --
website: http://swedishmike.org
twitter: https://twitter.com/swedishmike
github: http://github.com/swedishmike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180301/79de2ac4/attachment-0001.html
More information about the Bro
mailing list