[Bro] X.509 extensions can be used for covert channel data transfer and C2
Andrew Ratcliffe
andrew.ratcliffe at nswcsystems.co.uk
Thu Feb 8 02:33:04 PST 2018
Hi Everyone,
Has anyone looked at this research https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities with a view to creating a Bro detection?
Looks as simple as checking a value in the TLS extension to see if it falls on an expected length to be a hash value.
Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, CSTA, CSTP, CWSA
GIAC: GCIA, GCIH, GPEN, GWAPT, GCFE, GREM, GPYC, GNFA
Computer Forensic & Security Specialist
Blog.InfoSecMatters.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180208/6455e009/attachment.html
More information about the Bro
mailing list