Using Bro to Log SSL Certificates
I remember using an older version of Bro to log SSL certificates extracted from the wire. The version shipped with Security Onion is new and that functionality doesn't appear to be enabled by default. I asked Seth Hall about this capability, and he told me how to get Bro to log all SSL certs that it sees.
Edit /opt/bro/share/bro/site/local.bro to contain the changes as shown below.
diff -u /opt/bro/share/bro/site/local.bro.orig /opt/bro/share/bro/site/local.bro --- /opt/bro/share/bro/site/local.bro.orig 2013-02-23 01:54:53.291457193 +0000 +++ /opt/bro/share/bro/site/local.bro 2013-02-23 01:55:16.151996423 +0000 @@ -56,6 +56,10 @@ # This script enables SSL/TLS certificate validation. @load protocols/ssl/validate-certs +# Log certs per Seth +@load protocols/ssl/extract-certs-pem +redef SSL::extract_certs_pem = ALL_HOSTS; + # If you have libGeoIP support built in, do some geographic detections and # logging for SSH traffic. @load protocols/ssh/geo-dataRestart Bro.
~# broctl Welcome to BroControl 1.1 Type "help" for help. [BroControl] > install removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done. removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done. creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > status Name Type Host Status Pid Peers Started bro standalone localhost running 3042 0 17 Feb 13:22:42 [BroControl] > restart stopping ... stopping bro ... starting ... starting bro ... [BroControl] > exit
After restarting you will have a new log for all SSL certs:
ls -al certs-remote.pem -rw-r--r-- 1 root root 31907 Feb 23 02:05 certs-remote.pem
New certs are appended to the file as Bro sees them. A cert looks like this:
-----BEGIN CERTIFICATE----- MIIGYjCCBUqgAwIBAgIQdyRQbU+ah51Lxm5niPJgyTANBgkqhkiG9w0BAQUFADCB ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x MjAyMjkwMDAwMDBaFw0xMzAyMjgyMzU5NTlaMIIBJjETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0 ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzI5Mjc0NDIxCzAJBgNVBAYTAlVTMQ4w DAYDVQQRFAU2MDYwMzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcUB0NoaWNh Z28xGjAYBgNVBAkUETEzNSBTIExhIFNhbGxlIFN0MSQwIgYDVQQKFBtCYW5rIG9m IEFtZXJpY2EgQ29ycG9yYXRpb24xHzAdBgNVBAsUFk5ldHdvcmsgSW5mcmFzdHJ1 Y3R1cmUxHjAcBgNVBAMUFXd3dy5iYW5rb2ZhbWVyaWNhLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAL3mUutqncWzNlwQNaM6IJdaadkQtUBvVnyp obSS69GgKykAiQlx8QZQGbPCpJmHxmd7gz1JRnDntjp7N6Pg/cC47RvH2GOEgBdP oGjaqMIprDXWSOgsBg7sBG0Qu9jPdAwHKhl0pv+wbkIBY2hn2XAxM2EWmqakjbp7 ArUkrYV1/qI1LIUPoO5oGsGXYBLTafAy4fO8auz/gqYxfciUj9mWi09PAqhnB5eU jPYqu4yF6SA1V46AhC4cmaSZdH18ZmO6onp344tvjyJOn86Erb0VPmFfc8EgbLfK paheO7GropabCr/TKV6fhSuwcp7sDs1SC2PJhV+w6/0ZUqpp9B8CAwEAAaOCAfMw ggHvMAkGA1UdEwQCMAAwHQYDVR0OBBYEFK333BMwfBgnezSDatzj3Y2KbimNMAsG A1UdDwQEAwIFoDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vRVZTZWN1cmUtY3Js LnZlcmlzaWduLmNvbS9FVlNlY3VyZTIwMDYuY3JsMEQGA1UdIAQ9MDswOQYLYIZI AYb4RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU /IpQup65JVp7VYVPlQBjj+lYa0MwfAYIKwYBBQUHAQEEcDBuMC0GCCsGAQUFBzAB hiFodHRwOi8vRVZTZWN1cmUtb2NzcC52ZXJpc2lnbi5jb20wPQYIKwYBBQUHMAKG MWh0dHA6Ly9FVlNlY3VyZS1haWEudmVyaXNpZ24uY29tL0VWU2VjdXJlMjAwNi5j ZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUr DgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNp Z24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQB31shk3CQ/jMfz O1h6qCm+OeWUqgCvmAf26JoBx9hiHx+sWj1/z11rLp3oEt7fiqFsj76zWXAdhyH0 bp/sPGxAD7VQJEiAvtUR7015OUyNo+qnwJk2rZNlvwZydtsEmnYywVEgLQuFm962 csbbjmAqE+ODT9wk6jbIplfqhnSj2AL4xTNS2Rj3+jKsXlZvzCBdXs8Ewq9IwocL UpaWV6ObhXsxkgFon/KX0fS9TAams4RaPwIJzvr5ExE+NSyaufs1utdKoEwUaoS1 2Z1QVtxiueNgdFKoTATfODowb1C+IDEPJmY0urBzEhdrsMECtYxJVYBDAhbhocG6 yYpg3ayS -----END CERTIFICATE-----OpenSSL can read them one at a time, e.g.:
openssl x509 -in certs-remote.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
77:24:50:6d:4f:9a:87:9d:4b:c6:6e:67:88:f2:60:c9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA
Validity
Not Before: Feb 29 00:00:00 2012 GMT
Not After : Feb 28 23:59:59 2013 GMT
Subject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2927442, C=US/postalCode=60603, ST=Illinois, L=Chicago/street=135 S La Salle St, O=Bank of America Corporation, OU=Network Infrastructure, CN=www.bankofamerica.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:e6:52:eb:6a:9d:c5:b3:36:5c:10:35:a3:3a:
20:97:5a:69:d9:10:b5:40:6f:56:7c:a9:a1:b4:92:
eb:d1:a0:2b:29:00:89:09:71:f1:06:50:19:b3:c2:
a4:99:87:c6:67:7b:83:3d:49:46:70:e7:b6:3a:7b:
37:a3:e0:fd:c0:b8:ed:1b:c7:d8:63:84:80:17:4f:
a0:68:da:a8:c2:29:ac:35:d6:48:e8:2c:06:0e:ec:
04:6d:10:bb:d8:cf:74:0c:07:2a:19:74:a6:ff:b0:
6e:42:01:63:68:67:d9:70:31:33:61:16:9a:a6:a4:
8d:ba:7b:02:b5:24:ad:85:75:fe:a2:35:2c:85:0f:
a0:ee:68:1a:c1:97:60:12:d3:69:f0:32:e1:f3:bc:
6a:ec:ff:82:a6:31:7d:c8:94:8f:d9:96:8b:4f:4f:
02:a8:67:07:97:94:8c:f6:2a:bb:8c:85:e9:20:35:
57:8e:80:84:2e:1c:99:a4:99:74:7d:7c:66:63:ba:
a2:7a:77:e3:8b:6f:8f:22:4e:9f:ce:84:ad:bd:15:
3e:61:5f:73:c1:20:6c:b7:ca:a5:a8:5e:3b:b1:ab:
a2:96:9b:0a:bf:d3:29:5e:9f:85:2b:b0:72:9e:ec:
0e:cd:52:0b:63:c9:85:5f:b0:eb:fd:19:52:aa:69:
f4:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
AD:F7:DC:13:30:7C:18:27:7B:34:83:6A:DC:E3:DD:8D:8A:6E:29:8D
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://EVSecure-crl.verisign.com/EVSecure2006.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.6
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43
Authority Information Access:
OCSP - URI:http://EVSecure-ocsp.verisign.com
CA Issuers - URI:http://EVSecure-aia.verisign.com/EVSecure2006.cer
1.3.6.1.5.5.7.1.12:
0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
Signature Algorithm: sha1WithRSAEncryption
77:d6:c8:64:dc:24:3f:8c:c7:f3:3b:58:7a:a8:29:be:39:e5:
94:aa:00:af:98:07:f6:e8:9a:01:c7:d8:62:1f:1f:ac:5a:3d:
7f:cf:5d:6b:2e:9d:e8:12:de:df:8a:a1:6c:8f:be:b3:59:70:
1d:87:21:f4:6e:9f:ec:3c:6c:40:0f:b5:50:24:48:80:be:d5:
11:ef:4d:79:39:4c:8d:a3:ea:a7:c0:99:36:ad:93:65:bf:06:
72:76:db:04:9a:76:32:c1:51:20:2d:0b:85:9b:de:b6:72:c6:
db:8e:60:2a:13:e3:83:4f:dc:24:ea:36:c8:a6:57:ea:86:74:
a3:d8:02:f8:c5:33:52:d9:18:f7:fa:32:ac:5e:56:6f:cc:20:
5d:5e:cf:04:c2:af:48:c2:87:0b:52:96:96:57:a3:9b:85:7b:
31:92:01:68:9f:f2:97:d1:f4:bd:4c:06:a6:b3:84:5a:3f:02:
09:ce:fa:f9:13:11:3e:35:2c:9a:b9:fb:35:ba:d7:4a:a0:4c:
14:6a:84:b5:d9:9d:50:56:dc:62:b9:e3:60:74:52:a8:4c:04:
df:38:3a:30:6f:50:be:20:31:0f:26:66:34:ba:b0:73:12:17:
6b:b0:c1:02:b5:8c:49:55:80:43:02:16:e1:a1:c1:ba:c9:8a:
60:dd:ac:92
Since each cert has a standard header and footer, I bet someone could write a parser to extract each cert from the certs-remote.pem file to separate files. Thanks a lot Seth!
Comments
What value have you seen in logging the certificates?
Can't wait for the new book, btw.
% split -p 'BEGIN CERTIFICATE' cert.pem cert_
% ls cert_*
cert_aa cert_ab cert_ac
% openssl x509 -in cert_ab -fingerprint -noout
SHA1 Fingerprint=94:80:7B:1C:78:8D:D2:FC:BE:19:C8:48:1C:E4:1C:FA:B8:A4:C1:7F
% openssl base64 -d -in cert_ab | openssl sha1
94807b1c788dd2fcbe19c8481ce41cfab8a4c17f