Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » script » Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API
Trace:
script:x509_ext_c2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
script:x509_ext_c2 [2018/02/08 23:59] – [The Full Text Search FTS Document] veerascript:x509_ext_c2 [2018/02/09 00:00] – [Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API] veera
Line 5: Line 5:
 In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes !  In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! 
  
-Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken.+Detecting this is quite easy with [[https://trisul.org/docs/lua|Trisul]] as well as [[https://www.bro.org/|Bro IDS]]. This post highlights the Trisul approach.
  
 ===== Trisul vs Bro approaches to the same problem  ===== ===== Trisul vs Bro approaches to the same problem  =====
script/x509_ext_c2.txt · Last modified: 2024/06/05 10:49 by thiyagu