AnsweredAssumed Answered

Using blacklist of malicious SSL Certificates in Netwitness?

Question asked by RSA Admin Employee on Jul 21, 2014
Latest reply on Jul 30, 2014 by RSA Admin

Hi.

 

Similar to Blacklisted IP, Domain feeds, we have a feed for malicious ssl certificates from https://sslbl.abuse.ch/

The feed contains SHA1 fingerprint for a malicious certificate involved in C2 Communication.

 

However, i don't see any meta field capturing this info in netwitness.

i can see ssl.ca, ssl.subject, crypto related to TLS Communication.

 

Is there way to write a parser or so to capture sha1 fingerprint of the SSL Certifciates ?

Outcomes