[Bro] Fwd: Logging an SSL Certificate

Harry Hoffman hhoffman at ip-solutions.net
Thu Jul 28 07:06:42 PDT 2011 

Snort can absolutly log SSL certs, you just need a rule for it (and I'm
guessing emerging-threats prolly has one).

Here's the rule I'm using (for our environment):
# ssl connections on high ports
alert tcp $HOME_NET ![25,443,465,587,636,993,995] -> !$HOME_NET any
(msg:"ssl_v3_out"; \
  content:"|16 03|"; depth:2; \
  content:"|02|"; distance:3; depth:1; \
  content:"|03|"; distance:3; depth:1; \
  content:"|16 03|"; content:"|0e|"; distance:3; depth:1; \
  sid:1000019; \
  threshold: type limit, track by_src, count 2, seconds 600;)

It logs more then just the cert but it's a good way to see things like
TOR traffic from bridges and the like as well as the high port SSL servu
ftp servers running on comp'd machiens.

Cheers,
Harry

On 07/28/2011 09:57 AM, Martin Holste wrote:
> Yep, this happens out of the box in Bro.  By default, it will log all
> certificates seen, and it also logs any invalid certificates (for many
> reasons) to the notice.log file (the alert file).
> 
> Also, you shouldn't be having any TCP reassembly issues in Snort if
> it's a recent version.  Snort will absolutely not do any of this SSL
> stuff, so you can forget about trying to use Snort and focus on using
> Bro for this.  Seth got me going with it and it works as advertised.
> 
> On Thu, Jul 28, 2011 at 8:30 AM, Alvin Huang <alvinh999 at gmail.com> wrote:
>> Hey guys,
>>
>> I was just wondering if there was a way to log the SSL certificates from an
>> SSL handshake. I want to log these so that I can check the signer
>> specifically and check their authenticity. I have been working in Snort IDS
>> but I haven't been able to get this to work so I am going to try Bro if it
>> is possible here instead. The main problems I run into on Snort is the TCP
>> packets not reassembling and figuring out what content match to look for in
>> the rules (although I can look through Wireshark and pull something out to
>> try easily). Is this possible in Bro? Someone told me it would be available
>> out of box on Bro so I am seriously considering this.
>>
>> Thanks in advance,
>> Alvin
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list