Hello,
I am trying to implement the detection of CVE-2020-0601 with zeek (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) using the first package (https://github.com/0xxon/cve-2020-0601) but I keep encountering some errors.
Version for bro in my environment: bro version 2.5.5
First thing I did was add this to our local.bro file: redef CVE_2020_0601::log_certs = T;
But when I ran “broctl check” I got the following error message: error in /usr/local/bro/share/bro/site/local.bro, line 13: “redef” used but not previously defined (CVE_ 2020_0601::log_certs)
So I created the following file in “share/bro/base/frameworks/notice/cve-2020-0601.bro” and added the script from: https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro
And also edited the following file “share/bro/base/frameworks/notice/load.bro” and added: @load ./cve-2020-0601
Now when I run “broctl check” I am getting the following error message:
error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 5: syntax error, at or near “option”
When I comment out line 5 line I get:
error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 26: unknown identifier Version::at_least, at or near “Version::at_least”
When I comment out line 26 I get:
error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 35: unknown identifier f, at or near “f”
Can someone please help me with this? Am I setting it up right?
Thanks in advance.
Hi Kayode,
the script does, out of the box, not support anything below bro 2.6.
You can probably make it run by changing the option to a “const log_certs = F &redef” and changing the @if (Version:
to @if ( 0 ). However, note that while it should work it has not been tested on these systems.
Also - please consider updating your Zeek installation. You are missing important security and performance fixes.
Johanna
Thanks Johanna for your response.
I set it up and tested it out on another bro instance we have running bro version 2.6.3 and got this same error message:
error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 26: unknown identifier Version::at_least, at or near "Version::at_least"
Oh, sorry - I did not quite thoroughly enough parse all of your first email.
The reason for this is load ordering. You added the script to somewhere in /share/bro/base. You should never add scripts to base (or change scripts in base). We always assume that things in base are untouched - they will be overwritten on updates/upgrades. And if you change things in base you will also have to make sure that you don’t break things because of ordering issues.
In any case - just move the script to share/bro/site and @load it from your local.bro, before the line in which you perform the redef - and everything should work
Alternatively you can also install it via the package manager.
I hope this helps,
Johanna
Thanks again for your response.
How do I test that the openssl version we have installed automatically converts explicit curves to names while the certificate is parsed?
We currently have this version of openssl installed: openssl-1.0.2k-19.el7.x86_64
Thanks.
Kayode Enwerem (CTR)
Security Tools Linux Admin
ITSO/SOC
Administrative Office of the U.S. Courts
(202) 227-1530
Hi Kayode,
you can test it by running the test suite included with the package (git clone it and then run btest in the testing directory - or try installing it with the zeek package manager). That will run it automatically.
Also - it is not really all that important - you just increase your probability of false positives a bit. That being said - I have not actually heard of anyone encountering a false positives - certificates with explicit curves are exceedingly rare.
Johanna