Hi.
Similar to Blacklisted IP, Domain feeds, we have a feed for malicious ssl certificates from https://sslbl.abuse.ch/
The feed contains SHA1 fingerprint for a malicious certificate involved in C2 Communication.
However, i don't see any meta field capturing this info in netwitness.
i can see ssl.ca, ssl.subject, crypto related to TLS Communication.
Is there way to write a parser or so to capture sha1 fingerprint of the SSL Certifciates ?
It's a good idea, but unfortunately not straightforward to implement. The main limitation is that the parser cannot hash data, and the hashed value of the certificate is not directly part of the traffic (only the full certificate is).