Simple policy to detect LetsEncrypt Certbots

Following functionality are provided by the script

:: 1) LetsEncrypt::ValidationServer 2) LetsEncrypt::UserAgent

Installation

zeek-pkg install zeek/initconf/LetsEncrypt
or @load LetsEncrypt/scripts

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple: check for

This should generate following Kinds of notices:

Example notice:

1) ValidationServer: 

1594245522.084710	CqMftm3qJfL0J7Jpja	70.166.60.59	56422	172.18.236.190	80	-	-	-	tcp	LetsEncrypt::ValidationServer	GET http://172.18.236.190/.well-known/acme-challenge/m2TBbyTNFnuxSLXs9nCxPBBvwWjSlPtNqOE6qg1Brtk	-	70.166.60.59	172.18.236.190	80	-	-	Notice::ACTION_LOG	86400.000000	-	-	--	-

2) UserAgent 
1594245522.084710	CqMftm3qJfL0J7Jpja	70.166.60.59	56422	172.18.236.190	80	-	-	-	tcp	LetsEncrypt::UserAgent	-	-	70.166.60.59	172.18.236.190	80	-	-	Notice::ACTION_LOG	86400.000000	-	-	-	-	-

LetsEncrypt

Simple policy to detect LetsEncrypt Certbots

Following functionality are provided by the script

Installation

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

Example notice:

Package Version :

Description :

Script Dir :

Test Command :