[Zeek] Certificate questions
jayf at wheeling-nisshin.com
jayf at wheeling-nisshin.com
Mon Nov 18 10:44:21 PST 2019
Thanks for the answer. I need a bit of clarification though.
Your instructions said, openssl s_client -host slscr.update.microsoft.com
-port 443 -showcerts < /dev/null | sed -n '/BEGIN/,/END/p' | openssl x509
-outform DER > o.der
(do that for each CA - ignore the "verify error")'
Wouldn't fetching each certificate overwrite "o.der". Should that be a
">>"? Or do need to modify "o.der" for each certificate I fetch, then do a
"python ../gen_certs.py . cacert.zeek"? Would that grab all the .der
files? Do I need to make a seperate, unique "cacert.zeek" to put in my
"@load" statement.
Also, I put "@/path/to/cacert.zeek" file in my
"/opt/bro/share/bro/site/local.bro" file. I assume that's where the
statement goes?
Sorry for all the questions, but I've not found this information elsewhere.
It really is appreciated.
Jay Fluharty
Network Analyst
NS Wheeling-Nisshin Inc.
PO Box 635
Follansbee, WV 26037
jayf at wheeling-nisshin.com
1-304-527-4819
From: Michał Purzyński <michalpurzynski1 at gmail.com>
To: jayf at wheeling-nisshin.com
Cc: zeek <zeek at zeek.org>
Date: 11/17/2019 05:45 AM
Subject: Re: [Zeek] Certificate questions
Excellent question.
The reason you see those errors is the lack of the Root CA in Zeek's
certificate store.
Zeek, by default, uses Mozilla certificate store - the same one your
Firefox uses. Try going to one of these pages, like
https://slscr.update.microsoft.com in FF and you will see certificate
errors as well. You will not see them in Edge. Why's that?
For Microsoft, those certificates chain to a CA that has the root CA
certificate present in the windows certificate store, but nowhere else. For
Apple, the situation is similar - these root CA certificates are present on
the system level but no where else.
Since those are for services not accessed by general public, but things
like iCloud and software updates, these have never been submitted to us for
inclusion into Mozilla root CA program - and hence never landed in Zeek's
land.
An example right here here
subject
CN=slscr.update.microsoft.com,OU=DSP,O=Microsoft,L=Redmond,ST=WA,C=US
issued by
CN=Microsoft ECC Update Secure Server CA 2.1,O=Microsoft
Corporation,L=Redmond,ST=Washington,C=US
issued by
CN=Microsoft ECC Product Root Certificate Authority 2018,O=Microsoft
Corporation,L=Redmond,ST=Washington,C=US
Present in MS root store
There is a fix for that - you have to fetch those certificates with tools
like openssl or the latest Firefox (it's got this nice thing where you can
download the full chain), transform them into Zeek's scripts and include.
I think Justin wrote a nice script for that.
https://gist.github.com/JustinAzoff/7a1b92c976a2fa6e8601
mkdir tmp && cd tmp
openssl s_client -host slscr.update.microsoft.com -port 443 -showcerts
< /dev/null | sed -n '/BEGIN/,/END/p' | openssl x509 -outform DER > o.der
(do that for each CA - ignore the "verify error")
python ../gen_certs.py . cacert.zeek
And then you can @load the cacert.zeek in a script or in a local.zeek
On Fri, Nov 15, 2019 at 12:37 PM <jayf at wheeling-nisshin.com> wrote:
Greetings Zeek community,
I'm very new to Zeek, but really like what I'm see so far. I need some
help or perhaps a bit of education though. I have it setup in a Security
Onion VM.
I see a lot of messages about SSL including "unable to get local issuer
certificate", which I understand COULD be self-signed certs.
I also see many, many SSL::Invalid_Server_Cert notices in Kibana. Many
others say "SSL certificate validation failed with (self signed
certificate in certificate chain).
These would all be of interest, however they ALL point back to very
legitimate sources like Apple and Microsoft. I find it hard to believe
that these major companies have problems with that many certificates and
servers. Could this really be the case???
I could find very little information on Google regarding this. One
article said something about Zeek not being able to match them up with
root cert servers or something like that.
Is it possible that Zeek is missing something like a list of root CAs or
something? Is this just garbage caused by something else. This will
leave me scratching my head until I come back on Monday. I appreciate
the help.
Jay Fluharty
Network Analyst
NS Wheeling-Nisshin Inc.
PO Box 635
Follansbee, WV 26037
jayf at wheeling-nisshin.com
1-304-527-4819
_______________________________________________
Zeek mailing list
zeek at zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
_____________________________________________________________________________
Scanned by IBM Email Security Management Services powered by
Symantec.Cloud. For more information please visit
http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1026954
_____________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191118/af6df3ac/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191118/af6df3ac/attachment.gif
More information about the Zeek
mailing list