Differences

This shows you the differences between two versions of the page.

--- script:x509_ext_c2 [2018/02/08 23:46] – [The Full Text Search FTS Document] veera
+++ script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veera
@@ Line 24: / Line 24: @@
-Next you have to write a small LUA script that plugs into the FTS Stream. Your script will  then get a chance to process each certificate //out of the fast packet path//. The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose.
+Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path//.  By moving this out of the //Fast Packet Path// (For more on Fast Path and Slow Path in Trisul LUA API see [[https://www.trisul.org/docs/lua/basics.html#stream_processing|"Stream Processing"]])) Trisul gives your scripts a large time budget a few seconds to process without incurring packet loss.  The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose.
-I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using simple regex.  The snippet is shown below
+I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using a simple regex. The snippet is shown below
 <code lua>
@@ Line 47: / Line 47: @@
   - Use a Regex to capture the bytestring in // X509v3 Subject Key//
-  - If above 32 characters then we suspect something fishy , you can also generate an alert at this point using the ''engine:add_alert(..)'' method.
+  - If the SKI extension is greater than 32 characters then we suspect something fishy. You may even generate an alert at this point using the ''engine:add_alert(..)'' method.
   - Open a tmp file the convert the hex to binary and dump the contents there.
-If you place this script in the LUA folder ''/usr/local/etc/trisul-probe/plugins/lua'' and re-ran the PCAP file, then you would get a number of files in the tmp folder containing chunks of the Mimikatz binary. Then when you run the //file// command you can see the chunk that contain the PE Header show up. You can also do this as part of the script itself.
+If you place this script in the LUA folder ''/usr/local/etc/trisul-probe/plugins/lua'' and re-run the PCAP file, then you would get a number of files in the tmp folder containing chunks of the Mimikatz binary. When you run the //file// command you can see the chunk that contain the PE Header show up. You can also do this as part of the script itself.
 {{:script:mimi1.png|}}