This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

In SA, how do you see HTTPS domain names without the domain name from the cert?

RSAAdmin
Beginner
Beginner

‎2015-08-13 04:01 PM

Hi all,

 

I'm trying to achieve something that I thought would be quite straightforward but is proving a bit tricky.

 

In SA, I'm trying to issue a query to return the domain names of HTTPS connections for a specific 30 minute window.

 

So, I thought, easy enough, 2 steps:

 

  1. Chose 'Custom' in the drop-down list for the time frame and specify my time frame.
  2. Set a filter for: service=443 (or under 'Service' click 'SSL').

 

But of course I'm seeing alias.host entries for things like:

*.google.com

which I assume is the domain name from the SSL certificate.

 

Is it even possible to achieve my goal? I just want to see the domain names which were the target of the HTTPS connections, not the domain names from the certs.

 

Any pointers would be gratefully received!

0 Likes
1 REPLY 1

RSAAdmin
Beginner
Beginner

‎2015-08-14 04:38 AM

Ok, so this was probably a daft question.

 

Given I'm looking at TLS connections, there shouldn't be any hostnames besides in the certificate or the SNI extension.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.