Hi all,
I am receiving a lot alerts like this:
Bro SSL::Invalid_Server_Cert. 172.16.129.8 (Unknown):3040 -> 172.17.0.130 (Unknown):1610
which it is correct: we are using a lot of certs auto-signed in our infrastructure.
Is it possible to disable this type of alert for an IP or a group of IP's?
Thanks.
A script like this may do what you want:
const invalid_ssl_whitelist: set[addr] = {
# Add IPs here
} &redef;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSL::Invalid_Server_Cert &&
n$conn$id$resp_h in invalid_ssl_whitelist )
# Clear all actions for this notice.
n$actions = Notice::ActionSet();
}
You can probably also add logic to filter only if the reason it’s invalid is due to self-signing (e.g. as opposed to expired) by inspecting n$msg.
Some related docs to reference:
https://www.bro.org/sphinx/frameworks/notice.html
- Jon
Many thanks Jon,
But I am doing something wrong. When I launch "bro check", I receive the following error:
bro scripts failed.
error in /data/config/etc/bro/policy/custom.bro, line 24: unknown identifier SSL::Invalid_Server_Cert, at or near "SSL::Invalid_Server_Cert"
Actually:
# Disable SSL::Invalid_Server_Cert alert for internal hosts
const invalid_ssl_whitelist: set[addr] = {
10.19.0.12
} &redef;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSL::Invalid_Server_Cert &&
n$conn$id$resp_h in invalid_ssl_whitelist )
# Clear all actions for this notice.
n$actions = Notice::ActionSet();
}
# This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
Ok, problem solved. Forget it. Sorry for this last post.