SSLBL

Interesting:

https://sslbl.abuse.ch/blacklist/

Wonder if bro can support this?

James

Hello James,

using blacklists like this is actually quite easy nowadays. Just loading the list of blacklisted SHA-1 hashes into the intel framework and making sure that policy/frameworks/intel/seen/file-hashes.bro is loaded should be enough.

Certificates used in SSL connections are handled just like files, so if one of the certificates is encountered after loading the data, it should trigger a notification.

You just have to reformat the list for the intel framework.

Johanna

Thank you Johanna...I will go down that path.

James

Hi,

I created a python script to parse get the latest version of a blacklist
and convert it to the bro intel framework format:
https://gist.github.com/netantho/b4f5a3df008184119695#file-gistfile1-py

Thanks James and Johanna for the idea :slight_smile:

Anthony

...and the same in perl: https://github.com/0xxon/bro-utils/blob/master/convert-blacklist.pl

I sent that to James a while ago but forgot to CC the list.

Johanna