Trying to get a simple detection on certificate hashes to fire

Hi all,

I’m trying to create, what I assume should be, a simple detection and notification based on certificate hashes. Sadly I seem to have gotten something very wrong - since it doesn’t fire at all.

What I’ve done is that I’ve created a file named certstream.bro with the following content:

← Cut →

@load base/frameworks/intel
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {

← Cut →

I load this file from local.bro with no errors or complaints, it shows up in loaded_scripts.log and all that.

The file I reference as my ‘Intelligence file’ looks as follows:

← Cut →

#fields indicator indicator_type meta.source meta.do_notice
7B00009ACF21C67564F1AC3C31000000009ACF Intel::CERT_HASH certstream Stolen hash from the x509 log T
0551B592FA53CF2052B8B70F275CC159 Intel::CERT_HASH certstream Stolen hash from the x509 log T
2AA9E2483E8C62DF0037D183 Intel::CERT_HASH certstream Stolen hash from the x509 log T

← Cut →

The hashes I’m using are taken from my x509.log - just to make sure that I tested against something that comes up quite a lot in our environment. I’ve been using data from the field ‘serial’ - since there is no actual field called ‘hash’ in either x509.log or known_certs.

Have I been using the wrong identifier or is there some ‘hash all certs’ setting somewhere that I’ve missed?

As always - grateful for any tips or pointers.

Thanks in advance, Mike

Ah.. that is where you went wrong.. The hashes for certs end up in files.log (with all other files).

It could make sense for it to be in the x509 or known certs log. I know there was some talk about re-doing that log file to be more useful and less verbose.

In any case, if you have a cert of interest in the x509.log, you can use the 'id' column to find the corresponding file record in the files.log

The files.log has the sha1 column which is the hash you would add to the intel file.

If you wanted to see how it is implemented,

is what produces all the intel data from certs.


Many thanks for that - looking in all the wrong places for the right things as usual. :wink:

Cheers, Mike