using blacklists like this is actually quite easy nowadays. Just
loading the list of blacklisted SHA-1 hashes into the intel framework
and making sure that policy/frameworks/intel/seen/file-hashes.bro is
loaded should be enough.
Certificates used in SSL connections are handled just like files, so
if one of the certificates is encountered after loading the data, it
should trigger a notification.
You just have to reformat the list for the intel framework.
On 15 Jul 2014, at 9:40, James Lay wrote:
> Wonder if bro can support this?