Logging an SSL Certificate

Hey guys,

I was just wondering if there was a way to log the SSL certificates from an SSL handshake. I want to log these so that I can check the signer specifically and check their authenticity. I have been working in Snort IDS but I haven’t been able to get this to work so I am going to try Bro if it is possible here instead. The main problems I run into on Snort is the TCP packets not reassembling and figuring out what content match to look for in the rules (although I can look through Wireshark and pull something out to try easily). Is this possible in Bro? Someone told me it would be available out of box on Bro so I am seriously considering this.

Thanks in advance,

Yep, this happens out of the box in Bro. By default, it will log all
certificates seen, and it also logs any invalid certificates (for many
reasons) to the notice.log file (the alert file).

Also, you shouldn't be having any TCP reassembly issues in Snort if
it's a recent version. Snort will absolutely not do any of this SSL
stuff, so you can forget about trying to use Snort and focus on using
Bro for this. Seth got me going with it and it works as advertised.

Snort can absolutly log SSL certs, you just need a rule for it (and I'm
guessing emerging-threats prolly has one).

Here's the rule I'm using (for our environment):
# ssl connections on high ports
alert tcp $HOME_NET ![25,443,465,587,636,993,995] -> !$HOME_NET any
(msg:"ssl_v3_out"; \
  content:"|16 03|"; depth:2; \
  content:"|02|"; distance:3; depth:1; \
  content:"|03|"; distance:3; depth:1; \
  content:"|16 03|"; content:"|0e|"; distance:3; depth:1; \
  sid:1000019; \
  threshold: type limit, track by_src, count 2, seconds 600;)

It logs more then just the cert but it's a good way to see things like
TOR traffic from bridges and the like as well as the high port SSL servu
ftp servers running on comp'd machiens.


Snort can absolutly log SSL certs, you just need a rule for it (and I'm
guessing emerging-threats prolly has one).

Right, it can log the packet in which the cert exists and do some
rudimentary checks for known strings contained within, but Bro will
actually decode the cert, walk the certificate chain, match against a
database of known-valid public keys from Mozilla, etc. The end result
is a true test of whether or not the certificate is valid. The ET
sigs (which I contributed to) for this are pretty basic content
matches and only work for very specific certs.

Alvin, Bro won't work on Windows, but it will read packet traces
created from the Windows box, so you could capture with wireshark and
then ship to a Linux or FreeBSD box running Bro. Not ideal, to be
sure. Usually you run an IDS on the network ahead of the devices
you're trying to monitor, not directly on them (though this is not
always possible).

Keeping in mind that this is at least true for the next release that we don't distribute as a package yet (repository only). :slight_smile: