Friday, February 22, 2013

Using Bro to Log SSL Certificates

I remember using an older version of Bro to log SSL certificates extracted from the wire. The version shipped with Security Onion is new and that functionality doesn't appear to be enabled by default. I asked Seth Hall about this capability, and he told me how to get Bro to log all SSL certs that it sees.

Edit /opt/bro/share/bro/site/local.bro to contain the changes as shown below.

diff -u /opt/bro/share/bro/site/local.bro.orig /opt/bro/share/bro/site/local.bro
--- /opt/bro/share/bro/site/local.bro.orig      2013-02-23 01:54:53.291457193 +0000
+++ /opt/bro/share/bro/site/local.bro   2013-02-23 01:55:16.151996423 +0000
@@ -56,6 +56,10 @@
 # This script enables SSL/TLS certificate validation.
 @load protocols/ssl/validate-certs

+# Log certs per Seth
+@load protocols/ssl/extract-certs-pem
+redef SSL::extract_certs_pem = ALL_HOSTS;
+
 # If you have libGeoIP support built in, do some geographic detections and
 # logging for SSH traffic.
 @load protocols/ssh/geo-data
Restart Bro.
~# broctl

Welcome to BroControl 1.1

Type "help" for help.

[BroControl] > install
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started            
bro        standalone localhost  running       3042   0      17 Feb 13:22:42
[BroControl] > restart
stopping ...
stopping bro ...
starting ...
starting bro ...
[BroControl] > exit

After restarting you will have a new log for all SSL certs:

ls -al certs-remote.pem
-rw-r--r-- 1 root root 31907 Feb 23 02:05 certs-remote.pem

New certs are appended to the file as Bro sees them. A cert looks like this:

-----BEGIN CERTIFICATE-----
MIIGYjCCBUqgAwIBAgIQdyRQbU+ah51Lxm5niPJgyTANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
MjAyMjkwMDAwMDBaFw0xMzAyMjgyMzU5NTlaMIIBJjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzI5Mjc0NDIxCzAJBgNVBAYTAlVTMQ4w
DAYDVQQRFAU2MDYwMzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcUB0NoaWNh
Z28xGjAYBgNVBAkUETEzNSBTIExhIFNhbGxlIFN0MSQwIgYDVQQKFBtCYW5rIG9m
IEFtZXJpY2EgQ29ycG9yYXRpb24xHzAdBgNVBAsUFk5ldHdvcmsgSW5mcmFzdHJ1
Y3R1cmUxHjAcBgNVBAMUFXd3dy5iYW5rb2ZhbWVyaWNhLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAL3mUutqncWzNlwQNaM6IJdaadkQtUBvVnyp
obSS69GgKykAiQlx8QZQGbPCpJmHxmd7gz1JRnDntjp7N6Pg/cC47RvH2GOEgBdP
oGjaqMIprDXWSOgsBg7sBG0Qu9jPdAwHKhl0pv+wbkIBY2hn2XAxM2EWmqakjbp7
ArUkrYV1/qI1LIUPoO5oGsGXYBLTafAy4fO8auz/gqYxfciUj9mWi09PAqhnB5eU
jPYqu4yF6SA1V46AhC4cmaSZdH18ZmO6onp344tvjyJOn86Erb0VPmFfc8EgbLfK
paheO7GropabCr/TKV6fhSuwcp7sDs1SC2PJhV+w6/0ZUqpp9B8CAwEAAaOCAfMw
ggHvMAkGA1UdEwQCMAAwHQYDVR0OBBYEFK333BMwfBgnezSDatzj3Y2KbimNMAsG
A1UdDwQEAwIFoDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vRVZTZWN1cmUtY3Js
LnZlcmlzaWduLmNvbS9FVlNlY3VyZTIwMDYuY3JsMEQGA1UdIAQ9MDswOQYLYIZI
AYb4RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU
/IpQup65JVp7VYVPlQBjj+lYa0MwfAYIKwYBBQUHAQEEcDBuMC0GCCsGAQUFBzAB
hiFodHRwOi8vRVZTZWN1cmUtb2NzcC52ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKG
MWh0dHA6Ly9FVlNlY3VyZS1haWEudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5j
ZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUr
DgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNp
Z24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQB31shk3CQ/jMfz
O1h6qCm+OeWUqgCvmAf26JoBx9hiHx+sWj1/z11rLp3oEt7fiqFsj76zWXAdhyH0
bp/sPGxAD7VQJEiAvtUR7015OUyNo+qnwJk2rZNlvwZydtsEmnYywVEgLQuFm962
csbbjmAqE+ODT9wk6jbIplfqhnSj2AL4xTNS2Rj3+jKsXlZvzCBdXs8Ewq9IwocL
UpaWV6ObhXsxkgFon/KX0fS9TAams4RaPwIJzvr5ExE+NSyaufs1utdKoEwUaoS1
2Z1QVtxiueNgdFKoTATfODowb1C+IDEPJmY0urBzEhdrsMECtYxJVYBDAhbhocG6
yYpg3ayS
-----END CERTIFICATE-----
OpenSSL can read them one at a time, e.g.:
openssl x509 -in certs-remote.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            77:24:50:6d:4f:9a:87:9d:4b:c6:6e:67:88:f2:60:c9
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA
        Validity
            Not Before: Feb 29 00:00:00 2012 GMT
            Not After : Feb 28 23:59:59 2013 GMT
        Subject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2927442, C=US/postalCode=60603, ST=Illinois, L=Chicago/street=135 S La Salle St, O=Bank of America Corporation, OU=Network Infrastructure, CN=www.bankofamerica.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:e6:52:eb:6a:9d:c5:b3:36:5c:10:35:a3:3a:
                    20:97:5a:69:d9:10:b5:40:6f:56:7c:a9:a1:b4:92:
                    eb:d1:a0:2b:29:00:89:09:71:f1:06:50:19:b3:c2:
                    a4:99:87:c6:67:7b:83:3d:49:46:70:e7:b6:3a:7b:
                    37:a3:e0:fd:c0:b8:ed:1b:c7:d8:63:84:80:17:4f:
                    a0:68:da:a8:c2:29:ac:35:d6:48:e8:2c:06:0e:ec:
                    04:6d:10:bb:d8:cf:74:0c:07:2a:19:74:a6:ff:b0:
                    6e:42:01:63:68:67:d9:70:31:33:61:16:9a:a6:a4:
                    8d:ba:7b:02:b5:24:ad:85:75:fe:a2:35:2c:85:0f:
                    a0:ee:68:1a:c1:97:60:12:d3:69:f0:32:e1:f3:bc:
                    6a:ec:ff:82:a6:31:7d:c8:94:8f:d9:96:8b:4f:4f:
                    02:a8:67:07:97:94:8c:f6:2a:bb:8c:85:e9:20:35:
                    57:8e:80:84:2e:1c:99:a4:99:74:7d:7c:66:63:ba:
                    a2:7a:77:e3:8b:6f:8f:22:4e:9f:ce:84:ad:bd:15:
                    3e:61:5f:73:c1:20:6c:b7:ca:a5:a8:5e:3b:b1:ab:
                    a2:96:9b:0a:bf:d3:29:5e:9f:85:2b:b0:72:9e:ec:
                    0e:cd:52:0b:63:c9:85:5f:b0:eb:fd:19:52:aa:69:
                    f4:1f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                AD:F7:DC:13:30:7C:18:27:7B:34:83:6A:DC:E3:DD:8D:8A:6E:29:8D
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://EVSecure-crl.verisign.com/EVSecure2006.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.23.6
                  CPS: https://www.verisign.com/rpa

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier:
                keyid:FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43

            Authority Information Access:
                OCSP - URI:http://EVSecure-ocsp.verisign.com
                CA Issuers - URI:http://EVSecure-aia.verisign.com/EVSecure2006.cer

            1.3.6.1.5.5.7.1.12:
                0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
    Signature Algorithm: sha1WithRSAEncryption
         77:d6:c8:64:dc:24:3f:8c:c7:f3:3b:58:7a:a8:29:be:39:e5:
         94:aa:00:af:98:07:f6:e8:9a:01:c7:d8:62:1f:1f:ac:5a:3d:
         7f:cf:5d:6b:2e:9d:e8:12:de:df:8a:a1:6c:8f:be:b3:59:70:
         1d:87:21:f4:6e:9f:ec:3c:6c:40:0f:b5:50:24:48:80:be:d5:
         11:ef:4d:79:39:4c:8d:a3:ea:a7:c0:99:36:ad:93:65:bf:06:
         72:76:db:04:9a:76:32:c1:51:20:2d:0b:85:9b:de:b6:72:c6:
         db:8e:60:2a:13:e3:83:4f:dc:24:ea:36:c8:a6:57:ea:86:74:
         a3:d8:02:f8:c5:33:52:d9:18:f7:fa:32:ac:5e:56:6f:cc:20:
         5d:5e:cf:04:c2:af:48:c2:87:0b:52:96:96:57:a3:9b:85:7b:
         31:92:01:68:9f:f2:97:d1:f4:bd:4c:06:a6:b3:84:5a:3f:02:
         09:ce:fa:f9:13:11:3e:35:2c:9a:b9:fb:35:ba:d7:4a:a0:4c:
         14:6a:84:b5:d9:9d:50:56:dc:62:b9:e3:60:74:52:a8:4c:04:
         df:38:3a:30:6f:50:be:20:31:0f:26:66:34:ba:b0:73:12:17:
         6b:b0:c1:02:b5:8c:49:55:80:43:02:16:e1:a1:c1:ba:c9:8a:
         60:dd:ac:92
Since each cert has a standard header and footer, I bet someone could write a parser to extract each cert from the certs-remote.pem file to separate files. Thanks a lot Seth!

4 comments:

Seth Hall said...

That script actually deliberately bulks the certificates together. It would be easy to have a script that logs each separately.

Anonymous said...

I apologize in advance if this is a ridiculously stupid question...

What value have you seen in logging the certificates?

Can't wait for the new book, btw.

Richard Bejtlich said...

One value of logging the cert: you can do retrospective security analysis and check for elements in the cert that intruders might have entered. Those elements could link you to other connections you hadn't considered before.

Anonymous said...

I bet someone could write a parser to extract each cert from the certs-remote.pem file to separate files.

% split -p 'BEGIN CERTIFICATE' cert.pem cert_

% ls cert_*
cert_aa cert_ab cert_ac

% openssl x509 -in cert_ab -fingerprint -noout
SHA1 Fingerprint=94:80:7B:1C:78:8D:D2:FC:BE:19:C8:48:1C:E4:1C:FA:B8:A4:C1:7F

% openssl base64 -d -in cert_ab | openssl sha1
94807b1c788dd2fcbe19c8481ce41cfab8a4c17f