Hey!

I think this is a question mostly for Johanna, but feel free to to pitch in

I discovered recently, that over 70% (!!) of my files.log are for X509
certificates. I decided to stop logging events to files.log where the
MIME type is anything that smells like a X509 and that cut down my
SIEM intake by not less than 20%

The only downside I see is now I do not have the file hash of the X509
certificate logged.

I tried several approaches but I cannot find a way to consistently
access the X509 file hash value before the X509 record is written to
the log.

Ideally I would just add that hash to the x509 as an extra field and
have the best of both worlds (and possibly the fuid as well).

Is that something that can be even done?

One more thing

I created this script and it seems to work - http://try.bro.org/#/trybro/saved/283934

Can I get some feedback, how reliable it will be? It does seem to work on a single production sensor.

That should be completely reliable.

Johanna

Hi Michal,

Ideally I would just add that hash to the x509 as an extra field and
have the best of both worlds (and possibly the fuid as well).

One small additional question here - does the solution that you have now
satisfy this, or did you want the information in some other log-file (e.g.
ssl.log)?

Johanna

Yeah, it works for me. How complicated would it be to add everything to the ssl log, out of curiosity?

Unless I am forgetting something big - not all that complicated... for
some measure of complicated. It might need extending a few records to have
the data in the right place... I would try doing it similarly to how the
certificate subject is currently put into ssl.log.

Johanna