This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Using blacklist of malicious SSL Certificates in Netwitness?

RSAAdmin
Beginner
Beginner

‎2014-07-21 05:30 AM

Hi.

 

Similar to Blacklisted IP, Domain feeds, we have a feed for malicious ssl certificates from https://sslbl.abuse.ch/

The feed contains SHA1 fingerprint for a malicious certificate involved in C2 Communication.

 

However, i don't see any meta field capturing this info in netwitness.

i can see ssl.ca, ssl.subject, crypto related to TLS Communication.

 

Is there way to write a parser or so to capture sha1 fingerprint of the SSL Certifciates ?

5 REPLIES 5

RSAAdmin
Beginner
Beginner

‎2014-07-23 03:14 AM

It's a good idea, but unfortunately not straightforward to implement. The main limitation is that the parser cannot hash data, and the hashed value of the certificate is not directly part of the traffic (only the full certificate is).

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-07-24 09:44 AM

Are you sure that fingerprints are not stored as part of the certificate?

 

For example, here it seems to be part of it:

Windows-Live-Writer-SSL-Profiles-Part-2_791A-testco_rootcert-8x6.png

 

And here you have snort signatures based on fingerprints:

http://www.snortattack.org/node/311

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-07-29 03:55 PM

exactly, the hash is already available in the certificate which is in the network communication.

i guess parser should capture that info.

RSAAdmin
Beginner
Beginner

‎2014-07-30 12:51 AM

I did some quick research before my original, post and I thought the fingerprint was in the certificate, but not as hash of the complete certificate. See also this:

 

http://security.stackexchange.com/questions/14330/what-is-the-actual-value-of-a-certificate-fingerprint

 

It's a hash of the full content of the certificate. You can't put the hash inside, it gives a chicken and egg problem. The fingerprints in your windows dialog box are likely computed by the client.

 

Also:

 

Daily Ruleset Update Summary 07/18/2014 - Emerging Threats

"Today we are publishing the signatures created and shared by abuse.ch. We have converted the majority of them to Snort, but due to the inability of Snort to match on the SHA1 fingerprint of a SSL cert, some of their signatures are being released for Suricata only. Special thanks to abuse.ch for the work they do and for allowing us to share these with the community!"


So I'm not completely convinced yet, yet someone could prove me wrong and write a working SSL fingerprint parser

© 2022 RSA Security LLC or its affiliates. All rights reserved.