Tuesday, March 03, 2009

Bro SSL Certificate Details

I was asked today about using Bro to record details of SSL certificates. I wanted to show an excerpt from one of my class labs as an example.

In one of the labs I use Bro to generate logs for a network trace. The idea is that by looking at the server subject and server issuer fiels, you might identify odd activity.

First I generate Bro logs.

analyst@twsu804:~/case03$ /usr/local/bro/bin/bro -r
/home/analyst/pcap/tws2_15casepcap/case03.pcap weird notice alarm tcp udp conn http
http-request http-reply http-header ssl dns

You can see Bro summarize the SSL connections it sees on port 443 TCP by default.

analyst@twsu804:~/case03$ grep https.start ssl.log
1230953783.860406 #1 192.168.230.4/1700 > 67.199.36.111/https start
1230953792.363305 #2 192.168.230.4/1702 > 67.199.36.111/https start
1230953999.730060 #3 192.168.230.4/1712 > 63.245.209.118/https start
1230954052.303861 #4 192.168.230.4/1735 > 194.109.206.212/https start
1230954060.752904 #5 192.168.230.4/1742 > 24.92.58.169/https start
1230954060.811960 #6 192.168.230.4/1743 > 88.84.144.63/https start
1230954060.843277 #7 192.168.230.4/1740 > 92.195.102.210/https start
1230954060.860087 #8 192.168.230.4/1744 > 85.125.106.58/https start
1230954060.879373 #9 192.168.230.4/1746 > 82.94.251.204/https start
1230954061.166306 #10 192.168.230.4/1747 > 124.16.143.97/https start
1230954061.167447 #11 192.168.230.4/1738 > 220.175.170.133/https start
1230954064.376426 #12 192.168.230.4/1748 > 82.29.1.204/https start
1230954064.408963 #13 192.168.230.4/1749 > 87.97.231.238/https start
1230954075.839499 #14 192.168.230.4/1754 > 91.143.87.107/https start
1230954136.655647 #15 192.168.230.4/1763 > 140.247.60.83/https start
1230954136.763340 #16 192.168.230.4/1764 > 62.141.58.13/https start

You can take a deeper look at these SSL connections using Bro. First I create a list of search terms for grep, and then I grep for those search terms in ssl.log.

analyst@twsu804:~/case03$ cat ssl_grep.txt
server subject
server issuer

Here is the grep.

analyst@twsu804:~/case03$ grep -f ssl_grep.txt ssl.log
1230953999.730060 #3 X.509 server issuer /C=US/O=Equifax/OU=Equifax Secure Certificate
Authority
1230953999.730060 #3 X.509 server subject /C=US/ST=California/L=Mountain
View/O=Mozilla Corporation/CN=*.addons.mozilla.org
1230954052.494060 #4 X.509 server issuer /CN=www.z72ey43i.net
1230954052.494060 #4 X.509 server subject /CN=www.defgig6t6azjbr2.net
1230954060.813874 #5 X.509 server issuer /CN=www.kmz5vo6e6.net
1230954060.813874 #5 X.509 server subject /CN=www.pkpwmlwen7vge.net
1230954060.932578 #6 X.509 server issuer /CN=www.ne2jqp556.net
1230954060.932578 #6 X.509 server subject /CN=www.dpcmd6qbqlpabomp5ki5.net
1230954061.007888 #8 X.509 server issuer /CN=www.rdsm2znz.net
1230954061.007888 #8 X.509 server subject /CN=www.dme2njaquxi.net
1230954061.022973 #9 X.509 server issuer /CN=www.hqnn5zhz.net
1230954061.022973 #9 X.509 server subject /CN=www.76grma4ml.net
1230954061.500215 #10 X.509 server issuer /CN=www.4h33vtek5c4p57wuae.net
1230954061.500215 #10 X.509 server subject /CN=www.tx7iuwu56.net
1230954061.510028 #11 X.509 server issuer /CN=www.npn3go6542.net
1230954061.510028 #11 X.509 server subject /CN=www.fqhbh226p.net
1230954063.926987 #7 X.509 server issuer /CN=www.ennvjjpqlvnehtbqae74.net
1230954063.926987 #7 X.509 server subject /CN=www.3lp45iastk.net
1230954064.513351 #12 X.509 server issuer /CN=www.3bxwanjs7lrqrduij.net
1230954064.513351 #12 X.509 server subject /CN=www.5cioy5x224bja6wnf.net
1230954064.575053 #13 X.509 server issuer /CN=www.i6rtf7w3bdbdh.net
1230954064.575053 #13 X.509 server subject /CN=www.r7thso6x.net
1230954076.059391 #14 X.509 server issuer /CN=www.uiwpjnmjsqgatlo2ppik.net
1230954076.059391 #14 X.509 server subject /CN=www.r4g5fuzu3rybrf.net
1230954136.715980 #15 X.509 server issuer /CN=www.dsl47i66rnpesdparhj.net
1230954136.715980 #15 X.509 server subject /CN=www.zgxc7xvt6aj2xqo7z.net
1230954136.904599 #16 X.509 server issuer /CN=www.u2vuanrtt6v3ckj77u.net
1230954136.904599 #16 X.509 server subject /CN=www.b6w4ffeimiezuhp7bilm.net

If you've ever looked at Tor SSL certificates you'll recognize the traffic here.

In a later lab I show how to ask Bro to look at SSL to any port.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.

3 comments:

Steve said...
This comment has been removed by a blog administrator.
INDY said...

Ok, we can catch full SSL session with Bro and we have a private open keys from each side - Can we use this information for decrypt SSL session?

I'm sorry if my question is stupid....

Anonymous said...

Are there any other tools besides Bro that do a good job at logging SSL certificate details?