Adding trusted cert to Bro (Security Onion)

Im looking to add our internal domain CA to Bro so it can validate certs that are generated from the server. I am new to Bro, so Im not sure where to start.

I found this:

Which sounds like it is exactly what I need to do, Im just not sure how to go about it.

My SO deployment is a distributed setup (1 Master, 2 sensors so far). On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found the following:

This script enables SSL/TLS certificate validation.

@load protocols/ssl/validate-certs

Checking the protocols/ssl directory, I don’t see that script. My question is, will it get loaded if I created the validate-certs script its looking for?

Any help will be appreciated.


First, you need to look in policy/protocols/ssl, if you're checking the share/bro hierarchy.

Also, look at this:


In my recent (read: default) build for Security Onion, I have validate-certs.bro.

scott@SO-511:/opt/bro$ find . -iname “validate

Do you not have the same?


ugh, sorry…it IS there. I was in base. So where do I add the cert? Dump it here? share/bro/base/protocols/ssl/

Hi Michael,

Were it me, I would place it in /opt/bro/share/bro/site/

then issue install and restart from within broctl.

Scott Runnels

Any way to push that bro script out from my SO master?

Also, creating something like this will work too?


There isn’t. You’ll need to place it manually on each sensor.


Cool, thanks for the help!