Hi.
Similar to Blacklisted IP, Domain feeds, we have a feed for malicious ssl certificates from https://sslbl.abuse.ch/
The feed contains SHA1 fingerprint for a malicious certificate involved in C2 Communication.
However, i don't see any meta field capturing this info in netwitness.
i can see ssl.ca, ssl.subject, crypto related to TLS Communication.
Is there way to write a parser or so to capture sha1 fingerprint of the SSL Certifciates ?
Are you sure that fingerprints are not stored as part of the certificate?
For example, here it seems to be part of it:
And here you have snort signatures based on fingerprints:
exactly, the hash is already available in the certificate which is in the network communication.
i guess parser should capture that info.
I did some quick research before my original, post and I thought the fingerprint was in the certificate, but not as hash of the complete certificate. See also this:
It's a hash of the full content of the certificate. You can't put the hash inside, it gives a chicken and egg problem. The fingerprints in your windows dialog box are likely computed by the client.
Also:
Daily Ruleset Update Summary 07/18/2014 - Emerging Threats
"Today we are publishing the signatures created and shared by abuse.ch. We have converted the majority of them to Snort, but due to the inability of Snort to match on the SHA1 fingerprint of a SSL cert, some of their signatures are being released for Suricata only. Special thanks to abuse.ch for the work they do and for allowing us to share these with the community!"
So I'm not completely convinced yet, yet someone could prove me wrong and write a working SSL fingerprint parser
on Jul 21, 2014
It's a good idea, but unfortunately not straightforward to implement. The main limitation is that the parser cannot hash data, and the hashed value of the certificate is not directly part of the traffic (only the full certificate is).