[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Trying to get a simple detection on certificate hashes to fire
From: Mike Eriksson <mike () swedishmike ! org>
Date: 2018-03-01 14:02:49
Message-ID: CAMuthMczioMnziA8vEne7uOLKACaq1dDty=ONR6LDu3aFccbOw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Justin,
Many thanks for that - looking in all the wrong places for the right things
as usual. ;)
Cheers, Mike
On Thu, Mar 1, 2018 at 1:48 PM Azoff, Justin S <jazoff@illinois.edu> wrote:
>
> > On Mar 1, 2018, at 6:08 AM, Mike Eriksson <mike@swedishmike.org> wrote:
> >
> > The hashes I'm using are taken from my x509.log - just to make sure that
> I tested against something that comes up quite a lot in our environment.
> I've been using data from the field 'serial' - since there is no actual
> field called 'hash' in either x509.log or known_certs.
> >
> > Have I been using the wrong identifier or is there some 'hash all certs'
> setting somewhere that I've missed?
>
> Ah.. that is where you went wrong.. The hashes for certs end up in
> files.log (with all other files).
>
> It could make sense for it to be in the x509 or known certs log. I know
> there was some talk about re-doing that log file to be more useful and less
> verbose.
>
> In any case, if you have a cert of interest in the x509.log, you can use
> the 'id' column to find the corresponding file record in the files.log
>
> The files.log has the sha1 column which is the hash you would add to the
> intel file.
>
> If you wanted to see how it is implemented,
>
>
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/x509.bro
>
> is what produces all the intel data from certs.
>
>
> —
> Justin Azoff
>
> --
website: http://swedishmike.org
twitter: https://twitter.com/swedishmike
github: http://github.com/swedishmike
[Attachment #5 (text/html)]
<div dir="ltr">Justin,<div><br></div><div>Many thanks for that - looking in all the \
wrong places for the right things as usual. ;)</div><div><br></div><div>Cheers, \
Mike</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Mar 1, 2018 at \
1:48 PM Azoff, Justin S <<a \
href="mailto:jazoff@illinois.edu">jazoff@illinois.edu</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br> > On Mar 1, 2018, at 6:08 \
AM, Mike Eriksson <<a href="mailto:mike@swedishmike.org" \
target="_blank">mike@swedishmike.org</a>> wrote:<br> ><br>
> The hashes I'm using are taken from my x509.log - just to make sure that I \
tested against something that comes up quite a lot in our environment. I've been \
using data from the field 'serial' - since there is no actual field called \
'hash' in either x509.log or known_certs.<br> ><br>
> Have I been using the wrong identifier or is there some 'hash all certs' \
setting somewhere that I've missed?<br> <br>
Ah.. that is where you went wrong.. The hashes for certs end up in files.log (with \
all other files).<br> <br>
It could make sense for it to be in the x509 or known certs log. I know there was \
some talk about re-doing that log file to be more useful and less verbose.<br> <br>
In any case, if you have a cert of interest in the x509.log, you can use the \
'id' column to find the corresponding file record in the files.log<br> <br>
The files.log has the sha1 column which is the hash you would add to the intel \
file.<br> <br>
If you wanted to see how it is implemented,<br>
<br>
<a href="https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/x509.bro" \
rel="noreferrer" target="_blank">https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/x509.bro</a><br>
<br>
is what produces all the intel data from certs.<br>
<br>
<br>
—<br>
Justin Azoff<br>
<br>
</blockquote></div>-- <br><div dir="ltr" class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><br></div><div>website: <a \
href="http://swedishmike.org">http://swedishmike.org</a></div>twitter: <a \
href="https://twitter.com/swedishmike">https://twitter.com/swedishmike</a><div>github: \
<a href="http://github.com/swedishmike">http://github.com/swedishmike</a></div></div></div>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic