50 lines
1.5 KiB
Plaintext
50 lines
1.5 KiB
Plaintext
#
|
|
# Copyright (c) 2016-2018 RockNSM.
|
|
#
|
|
# This file is part of RockNSM
|
|
# (see http://rocknsm.io).
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
@load frameworks/intel/seen
|
|
|
|
# Ensure we SHA256 all the things, but especially the x509 certs
|
|
event file_new(f: fa_file)
|
|
{
|
|
Files::add_analyzer(f, Files::ANALYZER_SHA256);
|
|
}
|
|
|
|
# Observe x509 SHA256 hashes
|
|
event file_hash(f: fa_file, kind: string, hash: string)
|
|
{
|
|
if ( ! f?$info || ! f$info?$x509 || kind != "sha256" )
|
|
return;
|
|
|
|
Intel::seen([$indicator=hash,
|
|
$indicator_type=Intel::CERT_HASH,
|
|
$f=f,
|
|
$where=X509::IN_CERT]);
|
|
}
|
|
|
|
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
|
|
{
|
|
# if the file_hash event was raised before the x509 event...
|
|
if ( f$info?$sha256 ) {
|
|
Intel::seen([$indicator=f$info$sha256,
|
|
$indicator_type=Intel::CERT_HASH,
|
|
$f=f,
|
|
$where=X509::IN_CERT]);
|
|
}
|
|
}
|