Hi all,
I’m trying to create, what I assume should be, a simple detection and notification based on certificate hashes. Sadly I seem to have gotten something very wrong - since it doesn’t fire at all.
What I’ve done is that I’ve created a file named certstream.bro with the following content:
← Cut →
@load base/frameworks/intel
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
“/usr/local/bro/share/site/certstream/intel.dat”
};
← Cut →
I load this file from local.bro with no errors or complaints, it shows up in loaded_scripts.log and all that.
The file I reference as my ‘Intelligence file’ looks as follows:
← Cut →
#fields indicator indicator_type meta.source meta.do_notice
7B00009ACF21C67564F1AC3C31000000009ACF Intel::CERT_HASH certstream Stolen hash from the x509 log T
0551B592FA53CF2052B8B70F275CC159 Intel::CERT_HASH certstream Stolen hash from the x509 log T
2AA9E2483E8C62DF0037D183 Intel::CERT_HASH certstream Stolen hash from the x509 log T
← Cut →
The hashes I’m using are taken from my x509.log - just to make sure that I tested against something that comes up quite a lot in our environment. I’ve been using data from the field ‘serial’ - since there is no actual field called ‘hash’ in either x509.log or known_certs.
Have I been using the wrong identifier or is there some ‘hash all certs’ setting somewhere that I’ve missed?
As always - grateful for any tips or pointers.
Thanks in advance, Mike
