Friday, August 8, 2008

Bro editor bundle for TextMate

I've been putting in time here and there for a while now on a Bro bundle for the TextMate editor for Mac OS X. It adds syntax highlighting and easy text snippets for easing development of Bro policy scripts. It also adds mostly correct source code indentation rules for the canonical Bro development style.

Get it here

Text snippet help:
"fun" - To create a function.
"ev" - To create an event.
"if" - Creates an 'if' condition.

Wednesday, July 9, 2008

ssl-known-certs.bro

This script logs the clear text X.509 certificate information that is seen
during the SSL/TLS session establishment. It's a pretty short script, but it still has a configuration option. :)

The default setting is to log certificates of local hosts, to change that to log all certificates...
redef SSL_KnownCerts::logged_hosts = AllHosts;
When this script really becomes cool is when you have DPD enabled (i'll write a post on how to do that soon). If DPD is enabled, you will actually be detecting SSL on all ports and then logging the X.509 certificate in the log just the same as SSL on the normal ports like 443/tcp and 995/tcp.

Here are some examples of the log lines seen in the ssl-known-certs.log file. (the wrapping is horrible, but you get the idea)
209.85.133.19 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
209.85.133.189 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.mail.google.com
209.85.159.97 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google-analytics.com
140.254.54.134 443 /C=US/postalCode=43210/ST=OH/L=Columbus/streetAddress=250 West Woodruff Avenue/O=The Ohio State University/OU=Office of Information Technology/OU=Hosted by The Ohio State University/OU=Comodo PremiumSSL Wildcard/CN=*.osu.edu
Those fields are tab separated too, so they're nice and easy to parse. More tomorrow hopefully!

Update: I forgot to give a link to the file. ssl-known-certs.bro

Tuesday, July 8, 2008

Welcome to A Bro Blog


I started this blog so that I could document and share my experiences with Bro-IDS.

I'm beginning to distribute the scripts that I have written over time to detect various issues on our network (I work here). To help distribute the scripts and allows others to work on them with a shared version control repository, I created an account at GitHub. That should allow people to grab my scripts, make changes, and then push their changes back to me for inclusion in the main set of analysis scripts. Here's my github repository. I'll be documenting many of the scripts that are and will be in that repository here as I have time.

Hopefully I will be able to convince more people to run Bro through this blog too.