[Zeek] Certificate questions

jayf at wheeling-nisshin.com jayf at wheeling-nisshin.com
Mon Nov 18 10:44:21 PST 2019 

Thanks for the answer.  I need a bit of clarification though.

Your instructions said, openssl s_client -host slscr.update.microsoft.com
-port 443 -showcerts < /dev/null | sed -n '/BEGIN/,/END/p' | openssl x509
-outform DER > o.der
(do that for each CA - ignore the "verify error")'

Wouldn't fetching each certificate overwrite "o.der".  Should that be a
">>"?  Or do need to modify "o.der" for each certificate I fetch, then do a
"python ../gen_certs.py . cacert.zeek"?  Would that grab all the .der
files?  Do I need to make a seperate, unique "cacert.zeek" to put in my
"@load" statement.

Also, I put "@/path/to/cacert.zeek" file in my
"/opt/bro/share/bro/site/local.bro" file.  I assume that's where the
statement goes?

Sorry for all the questions, but I've not found this information elsewhere.
It really is appreciated.

Jay Fluharty
Network Analyst
NS Wheeling-Nisshin Inc.
PO Box 635
Follansbee, WV 26037
jayf at wheeling-nisshin.com
1-304-527-4819



From:	Michał Purzyński <michalpurzynski1 at gmail.com>
To:	jayf at wheeling-nisshin.com
Cc:	zeek <zeek at zeek.org>
Date:	11/17/2019 05:45 AM
Subject:	Re: [Zeek] Certificate questions



Excellent question.

The reason you see those errors is the lack of the Root CA in Zeek's
certificate store.

Zeek, by default, uses Mozilla certificate store - the same one your
Firefox uses. Try going to one of these pages, like
https://slscr.update.microsoft.com in FF and you will see certificate
errors as well. You will not see them in Edge. Why's that?

For Microsoft, those certificates chain to a CA that has the root CA
certificate present in the windows certificate store, but nowhere else. For
Apple, the situation is similar - these root CA certificates are present on
the system level but no where else.

Since those are for services not accessed by general public, but things
like iCloud and software updates, these have never been submitted to us for
inclusion into Mozilla root CA program - and hence never landed in Zeek's
land.

An example right here here

subject
CN=slscr.update.microsoft.com,OU=DSP,O=Microsoft,L=Redmond,ST=WA,C=US

issued by
CN=Microsoft ECC Update Secure Server CA 2.1,O=Microsoft
Corporation,L=Redmond,ST=Washington,C=US

issued by
CN=Microsoft ECC Product Root Certificate Authority 2018,O=Microsoft
Corporation,L=Redmond,ST=Washington,C=US

Present in MS root store

There is a fix for that - you have to fetch those certificates with tools
like openssl or the latest Firefox (it's got this nice thing where you can
download the full chain), transform them into Zeek's scripts and include.

I think Justin wrote a nice script for that.

https://gist.github.com/JustinAzoff/7a1b92c976a2fa6e8601

mkdir tmp && cd tmp

openssl s_client -host slscr.update.microsoft.com -port 443 -showcerts
< /dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -outform DER > o.der

(do that for each CA - ignore the "verify error")

python ../gen_certs.py . cacert.zeek

And then you can @load the cacert.zeek in a script or in a local.zeek

On Fri, Nov 15, 2019 at 12:37 PM <jayf at wheeling-nisshin.com> wrote:
  Greetings Zeek community,

  I'm very new to Zeek, but really like what I'm see so far.  I need some
  help or perhaps a bit of education though. I have it setup in a Security
  Onion VM.

  I see a lot of messages about SSL including "unable to get local issuer
  certificate", which I understand COULD be self-signed certs.

  I also see many, many SSL::Invalid_Server_Cert notices in Kibana.  Many
  others say "SSL certificate validation failed with (self signed
  certificate in certificate chain).

  These would all be of interest, however they ALL point back to very
  legitimate sources like Apple and Microsoft.  I find it hard to believe
  that these major companies have problems with that many certificates and
  servers.  Could this really be the case???

  I could find very little information on Google regarding this.  One
  article said something about Zeek not being able to match them up with
  root cert servers or something like that.

  Is it possible that Zeek is missing something like a list of root CAs or
  something?  Is this just garbage caused by something else.  This will
  leave me scratching my head until I come back on Monday.  I appreciate
  the help.

  Jay Fluharty
  Network Analyst
  NS Wheeling-Nisshin Inc.
  PO Box 635
  Follansbee, WV 26037
  jayf at wheeling-nisshin.com
  1-304-527-4819
  _______________________________________________
  Zeek mailing list
  zeek at zeek.org
  http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

_____________________________________________________________________________

Scanned by IBM Email Security Management Services powered by
Symantec.Cloud. For more information please visit
http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1026954
_____________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191118/af6df3ac/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191118/af6df3ac/attachment.gif

More information about the Zeek mailing list