From 27942c224b8d0813943fb08af76d0ae337a13e61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Aim=C3=A9?= Date: Sat, 24 Apr 2021 22:39:02 +0200 Subject: [PATCH] Correcting issue with certificates detection --- analysis/classes/zeekengine.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/analysis/classes/zeekengine.py b/analysis/classes/zeekengine.py index 271848d..c0a8e45 100644 --- a/analysis/classes/zeekengine.py +++ b/analysis/classes/zeekengine.py @@ -271,11 +271,10 @@ class ZeekEngine(object): self.files.append(f) for f in self.files: - if f["mime_type"] == "application/x-x509-ca-cert": + if f["mime_type"] == "application/x-x509-user-cert": for cert in bl_certs: # Check for blacklisted certificate. if f["sha1"] == cert[0]: - host = self.resolve(f["ip_dst"]) - c["alert_tiggered"] = True + host = self.resolve(f["ip_src"]) self.alerts.append({"title": self.template["IOC-07"]["title"].format(cert[1].upper(), host), "description": self.template["IOC-07"]["description"].format(f["sha1"], host), "host": host,