[Bro] Question about data format of ssl.log files
Tim Ray
tray at 21ct.com
Wed Feb 20 14:01:36 PST 2013
So, the APT1 report has the certs in text format. Does Bro use that? Or is
it all in DER?
On 2/20/13 2:18 PM, "Mike Sconzo" <sconzo at visiblerisk.com> wrote:
>There are a couple different things you can look for.
>
>The serial number works pretty well in a lot of cases (I use this 99%
>of the time w/o issue). The subject and issuer are useful for finding
>odd SSL certs to begin with. A lof of their subjects and issuers are
>pretty trash looking. If you were really paranoid you could combine
>the 2 for a more accurate match. I'd also say having a 5 year validity
>isn't too normal, but I don't have any hard data to back this up (just
>from what I remember from doing analysis). Not to mention when subject
>= issuer is also a give away for self signed, and while not
>immediately malicious it tends to raise my eyebrow (for example, a
>self signed mail.aol.com or mail.yahoo.com cert?). For the default bro
>logs I'd look at servername, subject, not valid before and not valid
>after; that should give you a reasonable starting place.
>
>As an aside this might be one of my favorites:
>
>C=US, ST=Washington, L=Anytown, O=ACLU, OU=A@@hole,
>CN=NoName/emailAddress=iamnot at home.com
>
>Just by looking at subjects and/or issuers that should stand out
>because that is not normal for legit network traffic. Sorry for the
>tangent, but personally I'd be less worried about the specifics in the
>report and more about the chances that it's something not in this
>report on your network <FUD alert! :) >
>
>-=Mike
>
>
>
>On Wed, Feb 20, 2013 at 1:11 PM, Jesse Bowling <jessebowling at gmail.com>
>wrote:
>> Hi,
>>
>> So quite a few infosec folks are looking at Mandiant's APT1 report,
>>myself
>> included...When I saw that they included some information on SSL certs
>>in
>> use I thought "Oh, I'll bet I can check my Bro logs for that!".
>> Unfortunately, I don't see a way to correlate the info from these
>>reports
>> with my Bro logs (which is pretty vanilla).
>>
>> So I suppose my question(s) is/are:
>>
>> *Has anyone else seen a reliable way to correlate the report data with
>>Bro
>> logs?
>> *How might I change my Bro logs so that if I were given this info in the
>> future I could reliably correlate it?
>>
>> I'm fairly ignorant about how much of an X509 cert one can see on the
>>wire;
>> serial number seemed promising but is only "required" to be unique per
>>CA,
>> Signature Algorithm seems promising, as does Public Key Modulus...
>>
>> Any suggestions/thoughts from the group?
>>
>> Cheers,
>>
>> Jesse
>>
>> http://intelreport.mandiant.com/
>> http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
>> http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
>>
>> --
>> Jesse Bowling
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>--
>cat ~/.bash_history > documentation.txt
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list