So quite a few infosec folks are looking at Mandiant’s APT1 report, myself included…When I saw that they included some information on SSL certs in use I thought “Oh, I’ll bet I can check my Bro logs for that!”. Unfortunately, I don’t see a way to correlate the info from these reports with my Bro logs (which is pretty vanilla).
So I suppose my question(s) is/are:
*Has anyone else seen a reliable way to correlate the report data with Bro logs?
*How might I change my Bro logs so that if I were given this info in the future I could reliably correlate it?
I’m fairly ignorant about how much of an X509 cert one can see on the wire; serial number seemed promising but is only “required” to be unique per CA, Signature Algorithm seems promising, as does Public Key Modulus…
There are a couple different things you can look for.
The serial number works pretty well in a lot of cases (I use this 99%
of the time w/o issue). The subject and issuer are useful for finding
odd SSL certs to begin with. A lof of their subjects and issuers are
pretty trash looking. If you were really paranoid you could combine
the 2 for a more accurate match. I'd also say having a 5 year validity
isn't too normal, but I don't have any hard data to back this up (just
from what I remember from doing analysis). Not to mention when subject
= issuer is also a give away for self signed, and while not
immediately malicious it tends to raise my eyebrow (for example, a
self signed mail.aol.com or mail.yahoo.com cert?). For the default bro
logs I'd look at servername, subject, not valid before and not valid
after; that should give you a reasonable starting place.
Just by looking at subjects and/or issuers that should stand out
because that is not normal for legit network traffic. Sorry for the
tangent, but personally I'd be less worried about the specifics in the
report and more about the chances that it's something not in this
report on your network <FUD alert! >
has brought me immediate joy in that I found that the primary web site for our auditors is using a self-signed cert; let us hope that is not a practice they fault us for.
On a serious note though, I do not see serial number in the default ssl.log file; can someone share the incantation to have it added?
Mandiant didn't actually distribute the certificates with their report they only included some information about the certs and the certs SHA1 hashes. Unfortunately for a historical reason our SSL scripts by default only log the MD5 hash of the cert. We can either get Mandiant to release MD5's for the certs or your can start logging SHA1's going forward.
Here's a script to add SHA-1 hashes for certs to your log (this is a very slight modification to the script we ship with 2.1)…
@load base/protocols/ssl
module SSL;
export {
redef record Info += {
## SHA1 hash of the DER encoded server certificate.
sha1: string &log &optional;
};
}
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
{
# We aren't tracking client certificates yet and we are also only tracking
# the primary cert. Watch that this came from an SSL analyzed session too.
if ( is_orig || chain_idx != 0 || ! c?$ssl )
return;
>
