10.4. SSL Certificates
Information contained in SSL certificates are now increasingly showing up in intelligence indicators. Trisul indexes information in certificates in two forms to aid two usage scenarios
|1||Normal index||The hash and subject information only for fast bulk lookups|
|2||FTS index||Arbitrary search of all fields in certificates to aid drilldowns|
In this section, we describe the usage of the normal index. See the section on FTS Index for details about the FTS index.
For each SSL/TLS connection, Trisul stores in the normal index.
- a SHA-1 hash of each DER encoded certificate in the chain
- the subject attributes text
You can see three certificates in the chain leading up to the root CA, in this case Verisign.
10.4.2 Normal Index
The whole resource is treated as a single string for query purposes.
- Open the Search Criteria box by clicking on “Show”
- Tabs “Search by endpoints” or “Search by regex”
Search by endpoints
You can search by
- Exclude these IPS
- Pair of IPs
- Regex Pattern
- Invert Regex Pattren
Search by regex
You can search by
- A single regex pattern on one line
- A list of substrings each on a separate line 1
The main use of this tool in the context of SSL Certs is to allow you to search for hundreds of matching hashes at once.
Multiple substring matches
Enter a list of patterns one per line.
The screenshot below shows how you can search for multiple hashes using this tab.
A single perl compatible regex
Enter a single regex in the Pattern box. It must be on a single line.
Matching resources are shown in a table.
Click on “Options” for further options.
- Related flow(s) – find TCP/UDP flow that transferred the resource
- Details – Resource details in a single page
- Show Headers – PCAP headers in text and hexdump (first 50K bytes)
- Download PCAP – PCAP containing the flow(s) that transferred the resource
- Add to briefcase – Add to PCAP briefcase for later download