mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
00e759b44c
Hence, when people specify data of type CERT_HASH in their intel source files, it will never trigger an alert.
39 lines
944 B
Text
39 lines
944 B
Text
@load base/frameworks/intel
|
|
@load base/files/x509
|
|
@load ./where-locations
|
|
|
|
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
|
|
{
|
|
if ( ext?$dns )
|
|
{
|
|
for ( i in ext$dns )
|
|
Intel::seen([$indicator=ext$dns[i],
|
|
$indicator_type=Intel::DOMAIN,
|
|
$f=f,
|
|
$where=X509::IN_CERT]);
|
|
}
|
|
}
|
|
|
|
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
|
|
{
|
|
if ( /emailAddress=/ in cert$subject )
|
|
{
|
|
local email = sub(cert$subject, /^.*emailAddress=/, "");
|
|
email = sub(email, /,.*$/, "");
|
|
Intel::seen([$indicator=email,
|
|
$indicator_type=Intel::EMAIL,
|
|
$f=f,
|
|
$where=X509::IN_CERT]);
|
|
}
|
|
}
|
|
|
|
event file_hash(f: fa_file, kind: string, hash: string)
|
|
{
|
|
if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
|
|
return;
|
|
|
|
Intel::seen([$indicator=hash,
|
|
$indicator_type=Intel::CERT_HASH,
|
|
$f=f,
|
|
$where=X509::IN_CERT]);
|
|
}
|