Adding trusted cert to Bro (Security Onion)

Im looking to add our internal domain CA to Bro so it can validate certs that are generated from the server. I am new to Bro, so Im not sure where to start.

I found this: http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html

Which sounds like it is exactly what I need to do, Im just not sure how to go about it.

My SO deployment is a distributed setup (1 Master, 2 sensors so far). On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found the following:

This script enables SSL/TLS certificate validation.

@load protocols/ssl/validate-certs

Checking the protocols/ssl directory, I don’t see that script. My question is, will it get loaded if I created the validate-certs script its looking for?

Any help will be appreciated.

Thanks!

First, you need to look in policy/protocols/ssl, if you're checking the share/bro hierarchy.

Also, look at this: http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February/005333.html

Michael,

In my recent (read: default) build for Security Onion, I have validate-certs.bro.

scott@SO-511:/opt/bro$ find . -iname “validate
./share/bro/policy/protocols/ssl/validate-certs.bro

Do you not have the same?

v/r
Scott

ugh, sorry…it IS there. I was in base. So where do I add the cert? Dump it here? share/bro/base/protocols/ssl/

Hi Michael,

Were it me, I would place it in /opt/bro/share/bro/site/

then issue install and restart from within broctl.

v/r
Scott Runnels

Any way to push that bro script out from my SO master?

Also, creating something like this will work too?

http://www.bro-ids.org/bro-workshop-2011/solutions/extending/mytrust.bro

Michael,

There isn’t. You’ll need to place it manually on each sensor.

v/r
Scott

Cool, thanks for the help!