This repository contains a number of small Bro scripts that could be useful.
This script provives a COUNTTABLE type for the summary statistics framework. This type is basically like SUM, with the difference that you have to provide a $str in the observation, and the SUM is calculated independently for each $str.
This makes it optimal to sum up small number of keys per host like, for example, all the TLS ciphers you saw in use for hosts on the local host.
Do not try to use this with a big number of different $str values, especially in a cluster setup. It will probably lead to excessive resource use.
This script calculates the percentage of the use of the different TLS cipher suites for each host in the local network.
This script identifies certificates on the local network which will be impacted by the Chrome SHA-1 sunset changes.
Short, simple script that adds the name of the node that processed a connection to conn.log.
Another very short script that logs the DH discrete log group size to ssl.log.
This script excludes certificates that are served by hosts in local_nets from x509.log
This script performs certificate validation of all encountered X509 certificates. It mimics browser behavior by caching intermediate-certificates for future validations.
The script was a drop-in replacement for the validate-certs policy script of Bro. It now replaced the old valida-certs script that was part of Bro and is probably only of historic interest.