[Bro] Question about data format of ssl.log files

Jesse Bowling jessebowling at gmail.com
Wed Feb 20 11:11:48 PST 2013


Hi,

So quite a few infosec folks are looking at Mandiant's APT1 report, myself
included...When I saw that they included some information on SSL certs in
use I thought "Oh, I'll bet I can check my Bro logs for that!".
Unfortunately, I don't see a way to correlate the info from these reports
with my Bro logs (which is pretty vanilla).

So I suppose my question(s) is/are:

*Has anyone else seen a reliable way to correlate the report data with Bro
logs?
*How might I change my Bro logs so that if I were given this info in the
future I could reliably correlate it?

I'm fairly ignorant about how much of an X509 cert one can see on the wire;
serial number seemed promising but is only "required" to be unique per CA,
Signature Algorithm seems promising, as does Public Key Modulus...

Any suggestions/thoughts from the group?

Cheers,

Jesse

http://intelreport.mandiant.com/
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip

-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130220/a534f7b4/attachment.html 


More information about the Bro mailing list