script:x509_ext_c2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
script:x509_ext_c2 [2018/02/08 23:42] – [The Full Text Search FTS Document] veera | script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veera | ||
---|---|---|---|
Line 14: | Line 14: | ||
- the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, | - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, | ||
- | You can see the different approach taken by Trisul NSM compared to Bro IDS. Instead of fine grained events, Trisul provides a text document. | + | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document. |
==== Analysing the sample PCAP in Trisul ==== | ==== Analysing the sample PCAP in Trisul ==== | ||
- | The researchers have provided a [[https:// | + | The researchers have provided a [[https:// |
Line 24: | Line 24: | ||
- | Next you have to write a small LUA script that plugs into the FTS Stream. Your script will then get a chance to process | + | Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// |
- | I just put together a quick [[https:// | + | I just put together a quick [[https:// |
<code lua> | <code lua> | ||
- | -- WHEN CALLED : a new FTS Document is seen | + | -- WHEN CALLED : a new FTS Document |
onnewfts | onnewfts | ||
Line 47: | Line 47: | ||
- Use a Regex to capture the bytestring in // X509v3 Subject Key// | - Use a Regex to capture the bytestring in // X509v3 Subject Key// | ||
- | - If above 32 characters then we suspect something fishy , you can also generate an alert at this point using the '' | + | - If the SKI extension is greater than 32 characters then we suspect something fishy. You may even generate an alert at this point using the '' |
- Open a tmp file the convert the hex to binary and dump the contents there. | - Open a tmp file the convert the hex to binary and dump the contents there. | ||
- | If you place this script in the LUA folder ''/ | + | If you place this script in the LUA folder ''/ |
{{: | {{: |
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu