Last active
December 5, 2018 16:05
-
-
Save markuskont/87e545c8b82fa00caf091ed6a2fedc8f to your computer and use it in GitHub Desktop.
Lua script to get suricata alert when newly created TLS certificate is observed on wire. Courtesy of regit - https://github.com/regit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- courtesy of regit - https://github.com/regit | |
| function init (args) | |
| local needs = {} | |
| needs["tls"] = tostring(true) | |
| needs["flowint"] = {"cert-age"} | |
| return needs | |
| end | |
| function match(args) | |
| notbefore = TlsGetCertNotBefore() | |
| if not notbefore then | |
| return 0 | |
| end | |
| if os.time() - notbefore < 3 * 3600 then | |
| ScFlowintSet(0, os.time() - notbefore) | |
| return 1 | |
| end | |
| return 0 | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #alert tls any any -> any any (msg:"Self signed certificate"; lua:self-signed-cert.lua; tls.store; sid:1; rev:1;) | |
| alert tls any any -> any any (msg:"Recent certificate"; lua:new-cert.lua; tls.store; sid:2; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment