In a resource constrained environment, the ability to detect malicious or anomalous activity can be challenging – especially when malicious actors utilize legitimate cryptographic protocols. This talk covers a simple technique to detect anomalies in X509 certificates using Bro IDS that does not rely on external data sources (ie. 3rd party vendors, custom database, ...) The talk will also cover real world examples where this technique would have been successful in detecting modern exploit kits that leverage TLS/SSL.