From rodrigue.alahassa at gmail.com Tue Jul 5 14:06:27 2011 From: rodrigue.alahassa at gmail.com (Rodrigue ALAHASSA) Date: Tue, 5 Jul 2011 23:06:27 +0200 Subject: [Bro] Signature payload matching Message-ID: Hi all, I'm working for automation of signature generation for Bro from pcap trace files. I would like to know if the matching of the payload as a condition is done against all the session data or more like per packet matching. Thanks -- Rodrigue ALAHASSA Royal Military Academy, Brussels -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110705/f1c6a614/attachment.html From robin at icir.org Tue Jul 5 14:55:02 2011 From: robin at icir.org (Robin Sommer) Date: Tue, 5 Jul 2011 14:55:02 -0700 Subject: [Bro] Signature payload matching In-Reply-To: References: Message-ID: <20110705215502.GA57476@icir.org> On Tue, Jul 05, 2011 at 23:06 +0200, Rodrigue ALAHASSA wrote: > I would like to know if the matching of the payload as a condition is done > against all the session data or more like per packet matching. It's matched against the reassembled session payload. There's some more information on details of the matching process here: http://www.bro-ids.org/documentation/signatures.html Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rodrigue.alahassa at gmail.com Thu Jul 7 00:23:34 2011 From: rodrigue.alahassa at gmail.com (Rodrigue ALAHASSA) Date: Thu, 7 Jul 2011 09:23:34 +0200 Subject: [Bro] Signature payload matching Message-ID: Hi, Once a signature has been written, compiled and matched against a traffic. I noticed that sometimes there are entries in signatures.log and notice.log, sometimes there is only entries in notice.log. I didn't change default settings for signatures.bro yet (no local site configuration). I wonder when (cases) bro is told to write to signatures.log. Thanks. Rodrigue On Wed, Jul 6, 2011 at 9:00 PM, wrote: > Send Bro mailing list submissions to > bro at bro-ids.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > or, via email, send a message with subject or body 'help' to > bro-request at bro-ids.org > > You can reach the person managing the list at > bro-owner at bro-ids.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Bro digest..." > > Today's Topics: > > 1. Signature payload matching (Rodrigue ALAHASSA) > 2. Re: Signature payload matching (Robin Sommer) > > > ---------- Forwarded message ---------- > From: Rodrigue ALAHASSA > To: bro at bro-ids.org > Date: Tue, 5 Jul 2011 23:06:27 +0200 > Subject: [Bro] Signature payload matching > Hi all, > > I'm working for automation of signature generation for Bro from pcap trace > files. > I would like to know if the matching of the payload as a condition is done > against all the session data or more like per packet matching. > > Thanks > > -- > Rodrigue ALAHASSA > Royal Military Academy, Brussels > > > ---------- Forwarded message ---------- > From: Robin Sommer > To: Rodrigue ALAHASSA > Date: Tue, 5 Jul 2011 14:55:02 -0700 > Subject: Re: [Bro] Signature payload matching > > On Tue, Jul 05, 2011 at 23:06 +0200, Rodrigue ALAHASSA wrote: > > > I would like to know if the matching of the payload as a condition is > done > > against all the session data or more like per packet matching. > > It's matched against the reassembled session payload. There's some > more information on details of the matching process here: > > http://www.bro-ids.org/documentation/signatures.html > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > > > _______________________________________________ > Bro mailing list > Bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- SLt COC ALAHASSA 161 POL Professeur Georges LEMAITRE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110707/20dd3143/attachment.html From robin at icir.org Thu Jul 7 08:20:03 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 7 Jul 2011 08:20:03 -0700 Subject: [Bro] Signature payload matching In-Reply-To: References: Message-ID: <20110707152003.GA65905@icir.org> On Thu, Jul 07, 2011 at 09:23 +0200, you wrote: > Once a signature has been written, compiled and matched against a traffic. I > noticed that sometimes there are entries in signatures.log and notice.log, > sometimes there is only entries in notice.log. Can you send an example including the entries in the logs and the signatures? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Thu Jul 7 15:09:56 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 7 Jul 2011 15:09:56 -0700 Subject: [Bro] Signature payload matching In-Reply-To: References: <20110707152003.GA65905@icir.org> Message-ID: <20110707220956.GK77684@icir.org> On Thu, Jul 07, 2011 at 19:30 +0200, you wrote: > The tar files are those related to the output of bro with their according > signature. The matches reported in auto/signatures.log and auto/notices.log are the same as far as I can see. And I don't see any reported in test/*. So not sure what the problem is? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rodrigue.alahassa at gmail.com Fri Jul 8 13:40:33 2011 From: rodrigue.alahassa at gmail.com (Rodrigue ALAHASSA) Date: Fri, 8 Jul 2011 22:40:33 +0200 Subject: [Bro] Signature payload matching In-Reply-To: <20110707220956.GK77684@icir.org> References: <20110707152003.GA65905@icir.org> <20110707220956.GK77684@icir.org> Message-ID: What I wondered is why nothing is reported for test.sig. The payload is not the same, I do agree. But I don't understand why it failed to detect it in the trafic. Thanks in advance. On Fri, Jul 8, 2011 at 12:09 AM, Robin Sommer wrote: > > On Thu, Jul 07, 2011 at 19:30 +0200, you wrote: > > > The tar files are those related to the output of bro with their according > > signature. > > The matches reported in auto/signatures.log and auto/notices.log are > the same as far as I can see. And I don't see any reported in test/*. > So not sure what the problem is? > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- SLt COC ALAHASSA 161 POL Professeur Georges LEMAITRE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110708/7c7d0564/attachment.html From jdvessey at gmail.com Tue Jul 19 11:42:39 2011 From: jdvessey at gmail.com (David Vessey) Date: Tue, 19 Jul 2011 18:42:39 +0000 Subject: [Bro] conn.log - What does cc=1 mean? Message-ID: Hello list, This is my first post - just another network monkey, been playing around with bro for the last year or so, writing some custom policy files to try and do some large scale analysis. Can anyone tell me what the "cc=1" means at the end of a line for conn.log output? I'm getting output lines like this: 1307664147.729018 0.103712 1.2.3.4 5.6.7.8 https? 1839 443 tcp 1865279311 ? RSTOS0 X cc=1 The 'sent bytes' is "1865279311", which seems awfully high, and received are 0. A quick survey looks like most entries that have a large byte count with sent or received and 0 in the other direction have the state set to "RSTOS0" and the flags set to "X cc=1". I believe one of the main factors causing this is damaged PCAPs (limited snaplength, possibly dropped packets). However if I can exclude the damaged records, I can still carry on with some analysis. Thanks, -David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110719/a42bbd6d/attachment.html From sri at basam.org Tue Jul 19 13:34:06 2011 From: sri at basam.org (sridhar basam) Date: Tue, 19 Jul 2011 16:34:06 -0400 Subject: [Bro] conn.log - What does cc=1 mean? In-Reply-To: References: Message-ID: On Tue, Jul 19, 2011 at 2:42 PM, David Vessey wrote: > Hello list, > > This is my first post - just another network monkey, been playing around > with bro for the last year or so, writing some custom policy files to try > and do some large scale analysis. > > Can anyone tell me what the "cc=1" means at the end of a line for conn.log > output? > > I'm getting output lines like this: > > 1307664147.729018 0.103712 1.2.3.4 5.6.7.8 https? 1839 443 tcp 1865279311 ? > RSTOS0 X cc=1 > > The 'sent bytes' is "1865279311", which seems awfully high, and received > are 0. A quick survey looks like most entries that have a large byte count > with sent or received and 0 in the other direction have the state set to > "RSTOS0" and the flags set to "X cc=1". > > I believe one of the main factors causing this is damaged PCAPs (limited > snaplength, possibly dropped packets). However if I can exclude the damaged > records, I can still carry on with some analysis. > > I have seen these lines mostly on failed connections (could be either due to missing packets in the capture file or genuine setup failures). The cc=1 is from the connection compressor being enabled for this run. There is some good documentation on what the connection compressor does and what enabling it means in src/ConnCompressor.cc in the source tree. I turn off connection compressor for *some* of my analysis since you lose some information when there are syn retries. Have you looked at some of the connections which have the cc=1 tag to see if they are just setup failures or your trace is missing packets or there is something else weird with those connections? Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110719/27ba400d/attachment.html From vern at icir.org Tue Jul 19 16:32:29 2011 From: vern at icir.org (Vern Paxson) Date: Tue, 19 Jul 2011 16:32:29 -0700 Subject: [Bro] conn.log - What does cc=1 mean? In-Reply-To: (Tue, 19 Jul 2011 18:42:39 -0000). Message-ID: <20110719233229.8898F36A38B@taffy.ICSI.Berkeley.EDU> > 1307664147.729018 0.103712 1.2.3.4 5.6.7.8 https? 1839 443 tcp 1865279311 ? > RSTOS0 X cc=1 > > The 'sent bytes' is "1865279311", which seems awfully high, and received are > 0. Yeah, the byte count for RSTOS0 connections is unreliable. The reason is that RSTOS0 means "the connection originator sent a SYN followed a while later by a RST, with no SYN-ACK from the other side". In that situation, Bro's best guess as to the byte count for the connection is the difference in sequence numbers between the RST and the SYN. *Sometimes* that's correct, but often there's no particular relationship between those two values, in which case you get the equivalent of a garbage 32-bit value for the size. > I believe one of the main factors causing this is damaged PCAPs (limited > snaplength, possibly dropped packets) Note, that's probably not what's causing the above. Bro generally detects damaged PCAPs and refrains from analyzing them. Dropped packets can lead to some degree of confusion, but RSTOS0 more often means that the originator either had no luck (responder never answered, and eventually the origiantor tore down the connection with a RST because of this), and/or the originator was scanning. Vern From mcholste at gmail.com Thu Jul 21 07:16:16 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 21 Jul 2011 09:16:16 -0500 Subject: [Bro] Howto Message-ID: Every year, at least once a year, I make an honest effort to implement Bro and to start taking advantage of its advanced capabilities. Each year, I spend a few hours on it and give up. I look through every doc I can find on the Bro web site and in the tarball, but the lack of sufficient examples and documentation always stifles any progress. I want this year to be different. The purpose of this email is to find out from you guys how to do the following (ideally in example form): How do I write a policy to detect when an SSL connection has a certificate which was created less than 30 days ago (not_valid_before > 30 days ago)? How do I send arbitrary connection data to an external program and receive information back from it (and I need something more detailed than "use broccoli")? Thanks, Martin From seth at icir.org Thu Jul 21 09:13:45 2011 From: seth at icir.org (Seth Hall) Date: Thu, 21 Jul 2011 12:13:45 -0400 Subject: [Bro] Howto In-Reply-To: References: Message-ID: On Jul 21, 2011, at 10:16 AM, Martin Holste wrote: > Every year, at least once a year, I make an honest effort to implement > Bro and to start taking advantage of its advanced capabilities. Each > year, I spend a few hours on it and give up. Unfortunately Bro has never been at a sufficient point to spend a few hours and start getting great results, it typically takes a lot more time and effort. We're working hard to change that though. > I want this year to be different. Great to hear Martin! > How do I write a policy to detect when an SSL connection has a > certificate which was created less than 30 days ago (not_valid_before 30 days ago)? These will only work in the git master and we'll likely have some sort of notice for this situation for the release, but it's pretty easy and there are a couple of ways of doing it. If you want to do it through the new logging framework... @load protocols/ssl event SSL::log_ssl(rec: SSL::Info) { if ( rec$not_valid_before > network_time() - 60*60*24*30 ) { print fmt("%s is using a certificate that was created %d days ago", rec$id$resp_h, (network_time()-rec$not_valid_before) / (60*60*24)); } } That code above doesn't output to the logging framework or the notice framework, but I wanted to pare it down to the bare minimum to demonstrate how easy that is. If you want to use the actual internal SSL events, you can do this... @load protocols/ssl event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) { # The entire certificate chain is presented to us here but we only want chain_idx==0 because that's the actual host certificate. if ( chain_idx != 0 ) return; if ( cert$not_valid_before > network_time() - 60*60*24*30 ) { print fmt("%s is using a certificate that was created %d days ago", c$id$resp_h, (network_time()-cert$not_valid_before) / (60*60*24)); } } Please send along more concrete examples of tasks you'd like to complete. Those are the kinds of questions I really like. :) > How do I send arbitrary connection data to an external program and > receive information back from it (and I need something more detailed > than "use broccoli")? Heh, the reason you've always gotten that answer is that that's a bit more complicated that we all wish it was. If you could give me an example of what you are aiming to do here I may be able to give a good answer of either how to do it or make sure that it's possible soon. We've begun defining a companion input framework to go along with the logging framework but it's still very early and we haven't begun writing any code for it yet (IOW, definitely not in the next release). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From mcholste at gmail.com Thu Jul 21 09:48:39 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 21 Jul 2011 11:48:39 -0500 Subject: [Bro] Howto In-Reply-To: References: Message-ID: > @load protocols/ssl > event SSL::log_ssl(rec: SSL::Info) > ? ? ? ?{ > ? ? ? ?if ( rec$not_valid_before > network_time() - 60*60*24*30 ) > ? ? ? ? ? ? ? ?{ > ? ? ? ? ? ? ? ?print fmt("%s is using a certificate that was created %d days ago", > ? ? ? ? ? ? ? ? ? ? ? ?rec$id$resp_h, (network_time()-rec$not_valid_before) / (60*60*24)); > ? ? ? ? ? ? ? ?} > ? ? ? ?} > Awesome, this is good stuff! Now I have a concrete goal. If I can get just this working, it will have been worth my time. > @load protocols/ssl > event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) > ? ? ? ?{ > ? ? ? ?# The entire certificate chain is presented to us here but we only want chain_idx==0 because that's the actual host certificate. > ? ? ? ?if ( chain_idx != 0 ) > ? ? ? ? ? ? ? ?return; > > ? ? ? ?if ( cert$not_valid_before > network_time() - 60*60*24*30 ) > ? ? ? ? ? ? ? ?{ > ? ? ? ? ? ? ? ?print fmt("%s is using a certificate that was created %d days ago", > ? ? ? ? ? ? ? ? ? ? ? ?c$id$resp_h, (network_time()-cert$not_valid_before) / (60*60*24)); > ? ? ? ? ? ? ? ?} > ? ? ? ?} > So when would one want to use this version? If you need access to the entire cert chain for your calculations? > Please send along more concrete examples of tasks you'd like to complete. ?Those are the kinds of questions I really like. :) Ha, how much time do you have! > We've begun defining a companion input framework to go along with the logging framework but it's still very early and we haven't begun writing any code for it yet (IOW, definitely not in the next release). Please, please do it this way: Create a generic external IO system that uses an HTTP protocol. REST is preferred, but the simpler the better. That way you can get out of the binary protocol business and get back to work on Bro's core competencies, and anyone who wants to interact with Bro can just make sure they have a sensible web API. From vern at icir.org Thu Jul 21 09:59:58 2011 From: vern at icir.org (Vern Paxson) Date: Thu, 21 Jul 2011 09:59:58 -0700 Subject: [Bro] Howto In-Reply-To: (Thu, 21 Jul 2011 12:13:45 EDT). Message-ID: <20110721165958.18DAC36A395@taffy.ICSI.Berkeley.EDU> > if ( rec$not_valid_before > network_time() - 60*60*24*30 ) Note, this will need to be: if ( rec$not_valid_before > network_time() - 60*60*24*30 sec ) Bro won't allow mixing integers with time values. Vern From seth at icir.org Thu Jul 21 10:04:50 2011 From: seth at icir.org (Seth Hall) Date: Thu, 21 Jul 2011 13:04:50 -0400 Subject: [Bro] Howto In-Reply-To: <20110721165958.18DAC36A395@taffy.ICSI.Berkeley.EDU> References: <20110721165958.18DAC36A395@taffy.ICSI.Berkeley.EDU> Message-ID: <006174C0-02D6-437A-BC50-820FDF399CAC@icir.org> On Jul 21, 2011, at 12:59 PM, Vern Paxson wrote: > Bro won't allow mixing integers with time values. Damn, I knew I should have tested that first. Thanks. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Thu Jul 21 10:25:53 2011 From: seth at icir.org (Seth Hall) Date: Thu, 21 Jul 2011 13:25:53 -0400 Subject: [Bro] Howto In-Reply-To: References: Message-ID: <776D70D5-C931-40FF-907B-96CA0F7D6B1C@icir.org> On Jul 21, 2011, at 12:48 PM, Martin Holste wrote: > So when would one want to use this version? If you need access to the > entire cert chain for your calculations? That's up to you. :) I have a whole list of things you may want to do (and some of which will be done out of the box). 1. You may want to see the signing chain for a certificate, including the root signer. This event will give you the subject, the actual certificate itself, etc. Here's the cert structure... type X509: record { version: count; serial: string; subject: string; issuer: string; not_valid_before: time; not_valid_after: time; }; 2. You need the full certificate chain to do certificate validation (that's already built into the script). 3. You may want extract the certificates in the chain. The entire certificate chain is given to you as DER and you can print it to a file with the &raw_output attribute. > Ha, how much time do you have! That's the only way we can make sure that we are solving real world problems. :) > Please, please do it this way: > Create a generic external IO system that uses an HTTP protocol. REST > is preferred, but the simpler the better. Thanks for the comments. I think it's certainly possible that someone could already implement something like this with broccoli and that's probably how it should be done anyway. It would be like an API daemon. :) Feel free to file a feature request ticket, I think creating an API daemon would be possible and could work quite well. http://tracker.bro-ids.org/ .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Thu Jul 21 14:00:38 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 21 Jul 2011 14:00:38 -0700 Subject: [Bro] [Fwd] [RAID 2011] Call for Participation Message-ID: <20110721210038.GB7411@icir.org> Thought this might be interesting for some here: There will be a panel at RAID 2011 on open-source network intrusion detection systems with representatives of the three major systems discussing the state of their systems, including our own Seth Hall. See http://www.raid2011.org/panel.shtml for more information. Robin ----- Forwarded message from RAID 2011 ----- From: RAID 2011 Subject: [RAID 2011] Call for Participation 14th International Symposium on Recent Advances in Intrusion Detection (RAID'2011) September 20-21, 2011 SRI International, Menlo Park, CA http://www.raid2011.org Call for Participation =========================================================== For the fourteenth year, the intrusion detection community will converge at RAID'2011 to discuss cutting-edge research in malware, application security, anomaly detection, special environments and sandboxing, web security and social networks, and network security. You are invited to join us at RAID for two days this September at SRI International, Menlo Park, CA. Register online at: http://www.raid2011.org/. Kind reminder: early bird registration closes on August 1, 2011! The annual symposium brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. RAID 2011 features an exciting technical program, with presentations addressing topics such as dynamic analysis of malicious shellcode, world's fastest taint tracker, anomaly detection using software defined networking, defending legacy embeded systems, web and social network security, and cross-analysis of botnet victims. A poster session during the symposium will provide lively face-to-face discussions of work in progress. This year we will have a great keynote presentation on "The Cutting Edge of Medical Device Security and Privacy" by Dr. Kevin Fu! We also have a special panel to discuss "State and Future of Open-Source Network Intrusion Detection": Panel Moderator: - Ron Gula, Tenable Network Security Panel participants: - Seth Hall, International Computer Science Insitute - Victor Julien, Open Infosec Foundation - Martin Roesch, Sourcefire The Open Information Security Foundation (OISF) is co-locating a Suricata community meeting with RAID 2011. Don't miss out this great fun event to socialize with your colleagues at the heart of silicon valley! ----- End forwarded message ----- -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Fri Jul 22 12:02:59 2011 From: seth at icir.org (Seth Hall) Date: Fri, 22 Jul 2011 15:02:59 -0400 Subject: [Bro] Workshop Message-ID: <33B9F15D-F4F9-482E-86C1-6F2DDE43743F@icir.org> I would like to announce that we are finally planning another Bro workshop! It's going to be sometime in early November at the NCSA (National Center for Supercomputing Applications) located in Urbana-Champaign, Illinois. More details and registration will be coming soon. Sorry to everyone who "voted" for Berkeley in that survey a while back. The Illinois votes won. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From alvinh999 at gmail.com Thu Jul 28 06:30:49 2011 From: alvinh999 at gmail.com (Alvin Huang) Date: Thu, 28 Jul 2011 09:30:49 -0400 Subject: [Bro] Fwd: Logging an SSL Certificate In-Reply-To: References: Message-ID: Hey guys, I was just wondering if there was a way to log the SSL certificates from an SSL handshake. I want to log these so that I can check the signer specifically and check their authenticity. I have been working in Snort IDS but I haven't been able to get this to work so I am going to try Bro if it is possible here instead. The main problems I run into on Snort is the TCP packets not reassembling and figuring out what content match to look for in the rules (although I can look through Wireshark and pull something out to try easily). Is this possible in Bro? Someone told me it would be available out of box on Bro so I am seriously considering this. Thanks in advance, Alvin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110728/e7d557e3/attachment.html From mcholste at gmail.com Thu Jul 28 06:57:19 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 28 Jul 2011 08:57:19 -0500 Subject: [Bro] Fwd: Logging an SSL Certificate In-Reply-To: References: Message-ID: Yep, this happens out of the box in Bro. By default, it will log all certificates seen, and it also logs any invalid certificates (for many reasons) to the notice.log file (the alert file). Also, you shouldn't be having any TCP reassembly issues in Snort if it's a recent version. Snort will absolutely not do any of this SSL stuff, so you can forget about trying to use Snort and focus on using Bro for this. Seth got me going with it and it works as advertised. On Thu, Jul 28, 2011 at 8:30 AM, Alvin Huang wrote: > Hey guys, > > I was just wondering if there was a way to log the SSL certificates from an > SSL handshake. I want to log these so that I can check the signer > specifically and check their authenticity. I have been working in Snort IDS > but I haven't been able to get this to work so I am going to try Bro if it > is possible here instead. The main problems I run into on Snort is the TCP > packets not reassembling and figuring out what content match to look for in > the rules (although I can look through Wireshark and pull something out to > try easily). Is this possible in Bro? Someone told me it would be available > out of box on Bro so I am seriously considering this. > > Thanks in advance, > Alvin > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From hhoffman at ip-solutions.net Thu Jul 28 07:06:42 2011 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Thu, 28 Jul 2011 10:06:42 -0400 Subject: [Bro] Fwd: Logging an SSL Certificate In-Reply-To: References: Message-ID: <4E316CF2.1020703@ip-solutions.net> Snort can absolutly log SSL certs, you just need a rule for it (and I'm guessing emerging-threats prolly has one). Here's the rule I'm using (for our environment): # ssl connections on high ports alert tcp $HOME_NET ![25,443,465,587,636,993,995] -> !$HOME_NET any (msg:"ssl_v3_out"; \ content:"|16 03|"; depth:2; \ content:"|02|"; distance:3; depth:1; \ content:"|03|"; distance:3; depth:1; \ content:"|16 03|"; content:"|0e|"; distance:3; depth:1; \ sid:1000019; \ threshold: type limit, track by_src, count 2, seconds 600;) It logs more then just the cert but it's a good way to see things like TOR traffic from bridges and the like as well as the high port SSL servu ftp servers running on comp'd machiens. Cheers, Harry On 07/28/2011 09:57 AM, Martin Holste wrote: > Yep, this happens out of the box in Bro. By default, it will log all > certificates seen, and it also logs any invalid certificates (for many > reasons) to the notice.log file (the alert file). > > Also, you shouldn't be having any TCP reassembly issues in Snort if > it's a recent version. Snort will absolutely not do any of this SSL > stuff, so you can forget about trying to use Snort and focus on using > Bro for this. Seth got me going with it and it works as advertised. > > On Thu, Jul 28, 2011 at 8:30 AM, Alvin Huang wrote: >> Hey guys, >> >> I was just wondering if there was a way to log the SSL certificates from an >> SSL handshake. I want to log these so that I can check the signer >> specifically and check their authenticity. I have been working in Snort IDS >> but I haven't been able to get this to work so I am going to try Bro if it >> is possible here instead. The main problems I run into on Snort is the TCP >> packets not reassembling and figuring out what content match to look for in >> the rules (although I can look through Wireshark and pull something out to >> try easily). Is this possible in Bro? Someone told me it would be available >> out of box on Bro so I am seriously considering this. >> >> Thanks in advance, >> Alvin >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From mcholste at gmail.com Thu Jul 28 07:21:59 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 28 Jul 2011 09:21:59 -0500 Subject: [Bro] Fwd: Logging an SSL Certificate In-Reply-To: <4E316CF2.1020703@ip-solutions.net> References: <4E316CF2.1020703@ip-solutions.net> Message-ID: > Snort can absolutly log SSL certs, you just need a rule for it (and I'm > guessing emerging-threats prolly has one). > Right, it can log the packet in which the cert exists and do some rudimentary checks for known strings contained within, but Bro will actually decode the cert, walk the certificate chain, match against a database of known-valid public keys from Mozilla, etc. The end result is a true test of whether or not the certificate is valid. The ET sigs (which I contributed to) for this are pretty basic content matches and only work for very specific certs. Alvin, Bro won't work on Windows, but it will read packet traces created from the Windows box, so you could capture with wireshark and then ship to a Linux or FreeBSD box running Bro. Not ideal, to be sure. Usually you run an IDS on the network ahead of the devices you're trying to monitor, not directly on them (though this is not always possible). From seth at icir.org Thu Jul 28 11:04:23 2011 From: seth at icir.org (Seth Hall) Date: Thu, 28 Jul 2011 14:04:23 -0400 Subject: [Bro] Fwd: Logging an SSL Certificate In-Reply-To: References: Message-ID: <9A194B19-8E3D-46A8-8B7F-9426564A7BF4@icir.org> On Jul 28, 2011, at 9:57 AM, Martin Holste wrote: > Yep, this happens out of the box in Bro. By default, it will log all > certificates seen, and it also logs any invalid certificates (for many > reasons) to the notice.log file (the alert file). Keeping in mind that this is at least true for the next release that we don't distribute as a package yet (repository only). :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/