when activating the x509.log or bro script in local.bro, can I configure a BPF filter to only affect x509 framework? For example I only want to have events that the dst_host is our DMZ subnet. Can I configure that in the x509.bro file/framework or some other bro configuration file? If so is this a local variable called subnet or something?
Just to repeat my answer from the bug tracker:
you can add bpf filters with the syntax described in
https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html
The thread at
http://comments.gmane.org/gmane.comp.security.detection.bro/4759 also has
a few examples. There is no easy way to tell Bro to just allow traffic
containing x509 certificates - you have to build the filter yourself, only
allowing the hosts and services that have traffic containing x509
certificates. If using broctl, typically you would add the filter commands
to local.bro or to a script that you load from local.bro – it is
discouraged to edit any scripts in base/ or policy/ yourself.
Do you need anything else, or does that perhaps fulfill your requirements?
Johanna