From 00e759b44c36750666a2db545a2137ecf4ef5d53 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 11 Apr 2016 15:50:02 +0200 Subject: [PATCH] Intel: CERT_HASH indicator type was never checked Hence, when people specify data of type CERT_HASH in their intel source files, it will never trigger an alert. --- scripts/policy/frameworks/intel/seen/x509.bro | 11 +++++++++++ .../intel-all.log | 11 +++++++---- .../scripts/policy/frameworks/intel/seen/certs.bro | 1 + 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.bro index 3a2859b6d5..9dcbc3edb9 100644 --- a/scripts/policy/frameworks/intel/seen/x509.bro +++ b/scripts/policy/frameworks/intel/seen/x509.bro @@ -26,3 +26,14 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi $where=X509::IN_CERT]); } } + +event file_hash(f: fa_file, kind: string, hash: string) + { + if ( ! f?$info || ! f$info?$x509 || kind != "sha1" ) + return; + + Intel::seen([$indicator=hash, + $indicator_type=Intel::CERT_HASH, + $f=f, + $where=X509::IN_CERT]); + } diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log index ba1afe4239..4b5786e00d 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log @@ -3,20 +3,23 @@ #empty_field (empty) #unset_field - #path intel -#open 2015-03-14-01-47-46 +#open 2016-04-11-13-48-49 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources #types time string addr port addr port string string string string enum enum string set[string] 1416942644.593119 CXWv6p3arKYeMETxOg 192.168.4.149 49422 23.92.19.75 443 F0txuw2pvrkZOn04a8 application/pkix-cert 23.92.19.75:443/tcp www.pantz.org Intel::DOMAIN X509::IN_CERT bro source1 -#close 2015-03-14-01-47-46 +#close 2016-04-11-13-48-49 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path intel -#open 2015-03-14-01-47-46 +#open 2016-04-11-13-48-49 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources #types time string addr port addr port string string string string enum enum string set[string] +1170717505.735416 CXWv6p3arKYeMETxOg 192.150.187.164 58868 194.127.84.106 443 FeCwNK3rzqPnZ7eBQ5 application/pkix-cert 194.127.84.106:443/tcp 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro source1 1170717505.934612 CXWv6p3arKYeMETxOg 192.150.187.164 58868 194.127.84.106 443 - - - www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro source1 +1170717508.883051 CjhGID4nQcgTWjvg4c 192.150.187.164 58869 194.127.84.106 443 FjkLnG4s34DVZlaBNc application/pkix-cert 194.127.84.106:443/tcp 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro source1 1170717509.082241 CjhGID4nQcgTWjvg4c 192.150.187.164 58869 194.127.84.106 443 - - - www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro source1 +1170717511.909717 CCvvfg3TEfuqmmG4bh 192.150.187.164 58870 194.127.84.106 443 FQXAWgI2FB5STbrff application/pkix-cert 194.127.84.106:443/tcp 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro source1 1170717512.108799 CCvvfg3TEfuqmmG4bh 192.150.187.164 58870 194.127.84.106 443 - - - www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro source1 -#close 2015-03-14-01-47-46 +#close 2016-04-11-13-48-49 diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro index 2ab4c6a50a..859e3a6b9f 100644 --- a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro +++ b/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro @@ -8,6 +8,7 @@ #fields indicator indicator_type meta.source meta.desc meta.url www.pantz.org Intel::DOMAIN source1 test entry http://some-data-distributor.com/100000 www.dresdner-privat.de Intel::DOMAIN source1 test entry http://some-data-distributor.com/100000 +2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH source1 test entry http://some-data-distributor.com/100000 @TEST-END-FILE @load base/frameworks/intel