Assorted scripts for Bro
Bro Awk Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
testing
README.md
chrome-sha1.bro
conn-workers.bro
counttable.bro
dhe-length.bro
skip-local-certs.bro
ssl-ciphers.bro
validate-certs-cache-intermediates.bro

README.md

This repository contains a number of small Bro scripts that could be useful.

counttable.bro

This script provives a COUNTTABLE type for the summary statistics framework. This type is basically like SUM, with the difference that you have to provide a $str in the observation, and the SUM is calculated independently for each $str.

This makes it optimal to sum up small number of keys per host like, for example, all the TLS ciphers you saw in use for hosts on the local host.

Do not try to use this with a big number of different $str values, especially in a cluster setup. It will probably lead to excessive resource use.

ssl-ciphers.bro

This script calculates the percentage of the use of the different TLS cipher suites for each host in the local network.

chrome-sha1.bro

This script identifies certificates on the local network which will be impacted by the Chrome SHA-1 sunset changes.

conn-workers.bro

Short, simple script that adds the name of the node that processed a connection to conn.log.

dhe-length.bro

Another very short script that logs the DH discrete log group size to ssl.log.

skip-local-certs.bro

This script excludes certificates that are served by hosts in local_nets from x509.log

validate-certs-cache-intermediates.bro

This script performs certificate validation of all encountered X509 certificates. It mimics browser behavior by caching intermediate-certificates for future validations.

The script was a drop-in replacement for the validate-certs policy script of Bro. It now replaced the old valida-certs script that was part of Bro and is probably only of historic interest.