Question about data format of ssl.log files


So quite a few infosec folks are looking at Mandiant’s APT1 report, myself included…When I saw that they included some information on SSL certs in use I thought “Oh, I’ll bet I can check my Bro logs for that!”. Unfortunately, I don’t see a way to correlate the info from these reports with my Bro logs (which is pretty vanilla).

So I suppose my question(s) is/are:

*Has anyone else seen a reliable way to correlate the report data with Bro logs?
*How might I change my Bro logs so that if I were given this info in the future I could reliably correlate it?

I’m fairly ignorant about how much of an X509 cert one can see on the wire; serial number seemed promising but is only “required” to be unique per CA, Signature Algorithm seems promising, as does Public Key Modulus…

Any suggestions/thoughts from the group?



There are a couple different things you can look for.

The serial number works pretty well in a lot of cases (I use this 99%
of the time w/o issue). The subject and issuer are useful for finding
odd SSL certs to begin with. A lof of their subjects and issuers are
pretty trash looking. If you were really paranoid you could combine
the 2 for a more accurate match. I'd also say having a 5 year validity
isn't too normal, but I don't have any hard data to back this up (just
from what I remember from doing analysis). Not to mention when subject
= issuer is also a give away for self signed, and while not
immediately malicious it tends to raise my eyebrow (for example, a
self signed or cert?). For the default bro
logs I'd look at servername, subject, not valid before and not valid
after; that should give you a reasonable starting place.

As an aside this might be one of my favorites:

C=US, ST=Washington, L=Anytown, O=ACLU, OU=A@@hole,

Just by looking at subjects and/or issuers that should stand out
because that is not normal for legit network traffic. Sorry for the
tangent, but personally I'd be less worried about the specifics in the
report and more about the chances that it's something not in this
report on your network <FUD alert! :slight_smile: >


Thank you Mike!


awk -F ‘\t’ ‘($11 == $12) && ($11 != “-”) {print $0}’ ./ssl.log

has brought me immediate joy in that I found that the primary web site for our auditors is using a self-signed cert; let us hope that is not a practice they fault us for. :stuck_out_tongue:

On a serious note though, I do not see serial number in the default ssl.log file; can someone share the incantation to have it added?

Thanks in advance,


Thank you Alex; this was the conclusion I came to as well…I was hoping I missed something in my ignorance of certs…

Now, to harass everyone I can find associated with Mandiant in the hopes of getting those md5’s… :slight_smile:



So, the APT1 report has the certs in text format. Does Bro use that? Or is
it all in DER?

Mandiant didn't actually distribute the certificates with their report they only included some information about the certs and the certs SHA1 hashes. Unfortunately for a historical reason our SSL scripts by default only log the MD5 hash of the cert. We can either get Mandiant to release MD5's for the certs or your can start logging SHA1's going forward.

Here's a script to add SHA-1 hashes for certs to your log (this is a very slight modification to the script we ship with 2.1)…

@load base/protocols/ssl
module SSL;
export {
  redef record Info += {
    ## SHA1 hash of the DER encoded server certificate.
    sha1: string &log &optional;
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
  # We aren't tracking client certificates yet and we are also only tracking
  # the primary cert. Watch that this came from an SSL analyzed session too.
  if ( is_orig || chain_idx != 0 || ! c?$ssl )

  c$ssl$sha1 = sha1_hash(der_cert);

Have fun.


And I just realized there is a problem now that I look at the data. Mandiant didn't distribute hashes for any of the certificates. :frowning:


Yeah, that's true. Can we convert their public keys using the openSSL
commands? I gave it a try but got an error early.

They didn't distribute the full certificate. It's only the output from the openssl command being run on the cert.



sadly, the mendicant command only contains the human-readable
output of the certificate information and not the actual certificate.

There is no way to convert that back into the actual certificate
and also no way to get the certificate hashes.