SSLBL

James_Lay · July 15, 2014, 4:40pm

Interesting:

https://sslbl.abuse.ch/blacklist/

Wonder if bro can support this?

James

johanna · July 15, 2014, 4:55pm

Hello James,

using blacklists like this is actually quite easy nowadays. Just loading the list of blacklisted SHA-1 hashes into the intel framework and making sure that policy/frameworks/intel/seen/file-hashes.bro is loaded should be enough.

Certificates used in SSL connections are handled just like files, so if one of the certificates is encountered after loading the data, it should trigger a notification.

You just have to reformat the list for the intel framework.

Johanna

James_Lay · July 15, 2014, 4:59pm

Thank you Johanna...I will go down that path.

James

netantho · July 30, 2014, 10:08pm

Hi,

I created a python script to parse get the latest version of a blacklist
and convert it to the bro intel framework format:
https://gist.github.com/netantho/b4f5a3df008184119695#file-gistfile1-py

Thanks James and Johanna for the idea

Anthony

johanna · July 30, 2014, 10:21pm

...and the same in perl: https://github.com/0xxon/bro-utils/blob/master/convert-blacklist.pl

I sent that to James a while ago but forgot to CC the list.

Johanna

Topic		Replies	Views
Blacklist DNS alerting Zeek	2	64	May 6, 2022
Trying to get a simple detection on certificate hashes to fire Zeek	3	70	May 6, 2022
Intel Framework Question Zeek	4	62	May 6, 2022
IOCs data for hashes. Zeek	7	65	May 6, 2022
Playing with the input framework Zeek	4	66	May 6, 2022

SSLBL

Related Topics