Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » Script » Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API
Trace:
script:x509_ext_c2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
script:x509_ext_c2 [2018/02/09 00:00] – [Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API] veerascript:x509_ext_c2 [2024/06/05 10:40] – old revision restored (2018/02/09 00:01) thiyagu
Line 12: Line 12:
  
   - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers. SSL Resources contain the DER format certificate chain.   - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers. SSL Resources contain the DER format certificate chain.
-  - the **FTS** stream: a complete text dump of the meta data. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.+  - the **FTS** stream: a complete text dump in some canonical format. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
  
 You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document.  If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL  BIGNUM library]] from a script You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document.  If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL  BIGNUM library]] from a script
Line 18: Line 18:
 ==== Analysing the sample PCAP in Trisul ==== ==== Analysing the sample PCAP in Trisul ====
  
-The researchers have provided a [[https://github.com/fideliscyber/x509|sample PCAP file containing a POC]] of the channel (( GitHub page of POC https://github.com/fideliscyber/x509)). If you import the PCAP file into Trisul using ''trisulctl_probe importpcap mimikatz_sent.pcap'' and navigate to SSL Certs FTS and then search for Key" you can see the certificates in full text format. This is shown below.+The researchers have provided a [[https://github.com/fideliscyber/x509|sample PCAP file containing a POC]] of the channel  GitHub page of POC https://github.com/fideliscyber/x509)). If you import the PCAP file into Trisul using ''trisulctl_probe importpcap mimikatz_sent.pcap'' and navigate to SSL Certs FTS and then search for Key" you can see the certificates in full text format. This is shown below.
  
  
Line 24: Line 24:
  
  
-Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// By moving this out of the //Fast Packet Path// (For more on Fast Path and Slow Path in Trisul LUA API see [[https://www.trisul.org/docs/lua/basics.html#stream_processing|"Stream Processing"]])) Trisul gives your scripts a large time budget a few seconds to process without incurring packet loss.  The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose.+Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// By moving this out of the //Fast Packet Path// ((For more on Fast Path and Slow Path in Trisul LUA API see [[https://www.trisul.org/docs/lua/basics.html#stream_processing|"Stream Processing"]])) Trisul gives your scripts a large time budget a few seconds to process without incurring packet loss.  The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose.
  
 I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using a simple regex. The snippet is shown below I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using a simple regex. The snippet is shown below
Line 67: Line 67:
  
 The [[https://github.com/trisulnsm/trisul-scripts|trisul-scripts GitHub repo]] contains dozens of example scripts of all kinds. The Documentation is Open and Free to use for all. Give it a go. The [[https://github.com/trisulnsm/trisul-scripts|trisul-scripts GitHub repo]] contains dozens of example scripts of all kinds. The Documentation is Open and Free to use for all. Give it a go.
- 
- 
  
    
  
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu