Zeek Package Manager
 

LetsEncrypt

https://github.com/initconf/LetsEncrypt
1
0
0
0
Last Push 11/17/20, 7:06 PM

Simple policy to detect LetsEncrypt Certbots

Following functionality are provided by the script

1) LetsEncrypt::ValidationServer

2) LetsEncrypt::UserAgent

Installation

zeek-pkg install zeek/initconf/LetsEncrypt
or @load LetsEncrypt/scripts

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for

This should generate following Kinds of notices:

Example notice:

1) ValidationServer:

1594245522.084710 CqMftm3qJfL0J7Jpja 70.166.60.59 56422 172.18.236.190 80 - - - tcp LetsEncrypt::ValidationServer GET http://172.18.236.190/.well-known/acme-challenge/m2TBbyTNFnuxSLXs9nCxPBBvwWjSlPtNqOE6qg1Brtk - 70.166.60.59 172.18.236.190 80 - - Notice::ACTION_LOG 86400.000000 - - -- -

2) UserAgent
1594245522.084710 CqMftm3qJfL0J7Jpja 70.166.60.59 56422 172.18.236.190 80 - - - tcp LetsEncrypt::UserAgent - - 70.166.60.59 172.18.236.190 80 - - Notice::ACTION_LOG 86400.000000 - - - - -

Package Version :

Description :

LetsEncrypt

Script Dir :

scripts

Test Command :

( cd tests && btest -d )

Package Checks :

License:
Info:
Found license 'COPYING'
Readme:
Info:
Found readme 'README.rst'
Build Command:
Bad Extension:
Expensive Events:
Unsafe Functions:
Charset: