[Bro] Question about data format of ssl.log files

Jesse Bowling jessebowling at gmail.com
Wed Feb 20 12:45:02 PST 2013


Thank you Mike!

Using:

awk -F '\t' '($11 == $12) && ($11 != "-") {print $0}' ./ssl.log

has brought me immediate joy in that I found that the primary web site for
our auditors is using a self-signed cert; let us hope that is not a
practice they fault us for. :P

On a serious note though, I do not see serial number in the default ssl.log
file; can someone share the incantation to have it added?

Thanks in advance,

Jesse

On Wed, Feb 20, 2013 at 3:18 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:

> There are a couple different things you can look for.
>
> The serial number works pretty well in a lot of cases (I use this 99%
> of the time w/o issue). The subject and issuer are useful for finding
> odd SSL certs to begin with. A lof of their subjects and issuers are
> pretty trash looking. If you were really paranoid you could combine
> the 2 for a more accurate match. I'd also say having a 5 year validity
> isn't too normal, but I don't have any hard data to back this up (just
> from what I remember from doing analysis). Not to mention when subject
> = issuer is also a give away for self signed, and while not
> immediately malicious it tends to raise my eyebrow (for example, a
> self signed mail.aol.com or mail.yahoo.com cert?). For the default bro
> logs I'd look at servername, subject, not valid before and not valid
> after; that should give you a reasonable starting place.
>
> As an aside this might be one of my favorites:
>
> C=US, ST=Washington, L=Anytown, O=ACLU, OU=A@@hole,
> CN=NoName/emailAddress=iamnot at home.com
>
> Just by looking at subjects and/or issuers that should stand out
> because that is not normal for legit network traffic. Sorry for the
> tangent, but personally I'd be less worried about the specifics in the
> report and more about the chances that it's something not in this
> report on your network <FUD alert! :) >
>
> -=Mike
>
>
>
> On Wed, Feb 20, 2013 at 1:11 PM, Jesse Bowling <jessebowling at gmail.com>
> wrote:
> > Hi,
> >
> > So quite a few infosec folks are looking at Mandiant's APT1 report,
> myself
> > included...When I saw that they included some information on SSL certs in
> > use I thought "Oh, I'll bet I can check my Bro logs for that!".
> > Unfortunately, I don't see a way to correlate the info from these reports
> > with my Bro logs (which is pretty vanilla).
> >
> > So I suppose my question(s) is/are:
> >
> > *Has anyone else seen a reliable way to correlate the report data with
> Bro
> > logs?
> > *How might I change my Bro logs so that if I were given this info in the
> > future I could reliably correlate it?
> >
> > I'm fairly ignorant about how much of an X509 cert one can see on the
> wire;
> > serial number seemed promising but is only "required" to be unique per
> CA,
> > Signature Algorithm seems promising, as does Public Key Modulus...
> >
> > Any suggestions/thoughts from the group?
> >
> > Cheers,
> >
> > Jesse
> >
> > http://intelreport.mandiant.com/
> > http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
> > http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
> >
> > --
> > Jesse Bowling
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> cat ~/.bash_history > documentation.txt
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130220/faacee2b/attachment.html 


More information about the Bro mailing list