Created
February 14, 2019 13:25
-
-
Save markuskont/1f14e1a162b49d50ddabbcfa6ce5dd31 to your computer and use it in GitHub Desktop.
Suricata lua output script for maintaining a list of known TLS certificates in redis. Log if new is seen.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function init (args) | |
local needs = {} | |
needs["protocol"] = "tls" | |
return needs | |
end | |
function setup (args) | |
name = "tls.log" | |
filename = SCLogPath() .. "/" .. name | |
file = assert(io.open(filename, "a")) | |
redis = require 'redis' | |
client = redis.connect('192.168.10.16', 6379) | |
end | |
function log(args) | |
version, subject, issuer, fingerprint = TlsGetCertInfo() | |
serial = TlsGetCertSerial() | |
if version == nil then | |
version = "<nil>" | |
end | |
if subject == nil then | |
subject = "<nil>" | |
end | |
if issuer == nil then | |
issuer = "<nil>" | |
end | |
if fingerprint == nil then | |
fingerprint = "<nil>" | |
end | |
if fingerprint ~= nil then | |
if client:get(fingerprint) == nil then | |
ts = SCFlowTimeString() | |
file:write(ts .. "|" .. version .. "|" .. subject .. "|" .. issuer .. "|" .. fingerprint .. "|" .. serial .. "\n"); | |
file:flush(); | |
--seen[fingerprint] = true | |
client:set(fingerprint, true) | |
end | |
end | |
end | |
function deinit (args) | |
file:close(file) | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment