AnsweredAssumed Answered

Using blacklist of malicious SSL Certificates in Netwitness?

Question asked by RSA Admin Employee on Jul 21, 2014
Latest reply on Oct 12, 2018 by Eric Partington

Hi.

 

Similar to Blacklisted IP, Domain feeds, we have a feed for malicious ssl certificates from https://sslbl.abuse.ch/

The feed contains SHA1 fingerprint for a malicious certificate involved in C2 Communication.

 

However, i don't see any meta field capturing this info in netwitness.

i can see ssl.ca, ssl.subject, crypto related to TLS Communication.

 

Is there way to write a parser or so to capture sha1 fingerprint of the SSL Certifciates ?

Outcomes