There are times that you get a lot of Zeek Notices that have no value to your security model or these are false positives. Maybe it will not be in your hands to fix the system or to make changes to the configurations in order to stop these alerts. In this case, you can configure Zeek to suppress these notices to raise.
It is well known that Zeek’s method that validates TLS Certificates is the same as Firefox’s. So many times you are in the situation that Zeek cannot find Intermediate Certificates and for that reason, it is unable to verify the validity of the certificate. In this case, a Notice will pop up in your notice.log with the message SSL certificate validation failed with(unable to get local issuer certificate). I have tried to fix it, with this script (https://gist.github.com/JustinAzoff/7a1b92c976a2fa6e8601), but with no luck. More specifically this python script creates a file ( cacert.zeek ) which contains the intermediate certificates, that were previously downloaded with the openssl s_client, ready to load to Zeek’s Root Certification Database (SSL::root_certs).
Below are the steps you have to follow in order to produce the cacert.zeek file.
openssl s_client -host slscr.update.microsoft.com -port 443 -showcerts < /dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -outform DER > o.der (do that for each CA - ignore the "verify error") python ./gen_certs.py . cacert.zeek
Generally, if you want to stop pop-up specific notices you can do the following. Create a Zeek script and call the Notice::policy hook with a priority bigger than 0.
Then when you are finished with what you want to stop showing up, you can change the Notice Action to Notice::ACTION_NONE and you are done.
In the script below, we are telling Zeek that when a Notice is about to pop up check if in the message field of the notice it exists the string local issuer. Then we search the sub-field for the regex microsoft.com. If both are True, notice will be prevented from appearing at the notice.log.
option exclude_domains = /microsoft.com/ | /apple.com/;
hook Notice::policy(n: Notice::Info) &priority=5
{
if (n?$note){
if ( "local issuer" in n$msg && exclude_domains in n$sub ){
n$actions = Notice::ActionSet(Notice::ACTION_NONE);
print n;
}
}
}
Update: For more advanced filtering you can use the Zeek module which is available from Zeek Package Manager:
zkg install suppress-ssl-noticesDocumentation on how to use it can be found here: https://github.com/chrisanag1985/suppress-ssl-notices
