Im looking to add our internal domain CA to Bro so it can validate certs that are generated from the server. I am new to Bro, so Im not sure where to start.
I found this: http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html
Which sounds like it is exactly what I need to do, Im just not sure how to go about it.
My SO deployment is a distributed setup (1 Master, 2 sensors so far). On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found the following:
This script enables SSL/TLS certificate validation.
Checking the protocols/ssl directory, I don’t see that script. My question is, will it get loaded if I created the validate-certs script its looking for?
Any help will be appreciated.
First, you need to look in policy/protocols/ssl, if you're checking the share/bro hierarchy.
Also, look at this: http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February/005333.html
In my recent (read: default) build for Security Onion, I have validate-certs.bro.
scott@SO-511:/opt/bro$ find . -iname “validate”
Do you not have the same?
ugh, sorry…it IS there. I was in base. So where do I add the cert? Dump it here? share/bro/base/protocols/ssl/
Were it me, I would place it in /opt/bro/share/bro/site/
then issue install and restart from within broctl.
Any way to push that bro script out from my SO master?
There isn’t. You’ll need to place it manually on each sensor.
Cool, thanks for the help!