search

MISP / misp-warninglists

Warning lists to inform users of MISP about potential false-positives or other information in indicators
http://misp.github.io/misp-warninglists/
495 stars 166 forks source link

Adjust X509 fingerprint Mozilla CA format #116

Open vpiserchia opened 4 years ago

vpiserchia commented 4 years ago

It came to my attention that the mozilla-ca list of known CA certificate fingerprints do not appear to use commas for separating the (hex-represented) bytes of the fingerprint.

This seems to be a problem to be as for example IDS like suricata provide a tls.fingerprint keyword that expects the fingerprint in that format.

Also any resource I was able to find use the same format, see this [1] as an example

I'm wondering what would be the best approach in this case, I see two alternatives:

  1. adjust the list to hex format (for example adding the same entries twice);
  2. create another list with the hex format

Looking forward for your comments [1] https://www.netlock.hu/USEREN/html/cacrl.html

vpiserchia commented 3 years ago

anyone can add some light on this?