Using Bro IDS to Detect X509 Anomalies

BSidesCharm 2016

Presented by: Will Glodek, Mark Parsons
Date: Saturday April 23, 2016
Time: 14:30 - 14:50
Location: Track 1

In a resource constrained environment, the ability to detect malicious or anomalous activity can be challenging – especially when malicious actors utilize legitimate cryptographic protocols. This talk covers a simple technique to detect anomalies in X509 certificates using Bro IDS that does not rely on external data sources (ie. 3rd party vendors, custom database, ...) The talk will also cover real world examples where this technique would have been successful in detecting modern exploit kits that leverage TLS/SSL.

Will Glodek

Mr. William Glodek is currently Senior Network Security Engineer at BreakPoint Labs. He previously served as a computer scientist and Network Security Branch Chief at the US Army Research Laboratory. Creator and developer of Dshell, a Python-based network forensics analysis framework. Mr. Glodek's research includes network forensics, digitial forensics and incident response, and the application of machine learning methods in the cybersecurity domain. Using open source SSL/TLS data to hunt threat actors and defend networks This presentation will go over how net defenders and threat intel analysts can use TLS/SSL data from sources like scans.io and censys.io to defend their networks and hunt threat actors that use TLS/SSL either for communication in their malware or for their infrastructure.

Mark Parsons

Mark Parsons is a net defender that has slowly turned into a small time developer and occasional threat analyst. Over the past 4 years he has worked at a civilian federal agency doing incident response and threat intelligence. He has spent the past few years working on creating solutions that allow threat analysts and net defenders to spend more time looking at data rather than collecting it.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats