I have a small work-in-progress Zeek package that should be able to detect if someone is trying to exploit this in TLS communication, e.g. when impersonating a server.
But - before you run and install it - please read this email for more details on the package and the advantages/disadvantages over the old one.
Due to the fact that not everyone will be able to use the new package, the old package will also stays available at https://github.com/0xxon/cve-2020-0601
Using this, I verified that both versions of the package successfully detect the exploit; I also added a test-case with a real exploit certificate to both packages (no other changes).
As previously mentioned - if you run this and see any exploit activity, I would be really interested in hearing about it.
You could also point a browser in your environment at hxxps://cve20200601.dshield.org - they setup that site to test for vulnerable browser, but I found in testing that it also triggered my NSM.
Excellent work on this plugin / script - very handy!
in even more news - after a suggestion of Justin, I updated the script in a way that lets you log suspicious certificates - in case you will want to dig into exploit attempts afterwards.
Both versions of the plugin now have a setting (disabled by default) that will log all suspicious certificates encoded as base64.
To enable this, update your package and redef CVE_2020_0601::log_certs to true.