Differences

This shows you the differences between two versions of the page.

--- script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veera
+++ script:x509_ext_c2 [2018/02/09 00:01] – [Trisul vs Bro approaches to the same problem] veera
@@ Line 3: / Line 3: @@
 I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114))  and the original link on the //Fidelis Blog Whats missing is in front of us// ((Fidelis Security Blog https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities)) and also on the //Network Miner blog Examining a X.509 Covert Channel// (( Network Miner blog post https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities )) I'd also like to mention the author [[https://twitter.com/sysopfb|Jason Reaves]]
-In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears from the researchers that the network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes !
+In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes !
-Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken.
+Detecting this is quite easy with [[https://trisul.org/docs/lua|Trisul]] as well as [[https://www.bro.org/|Bro IDS]]. This post highlights the Trisul approach.
-===== The Full Text Search FTS Document =====
+===== Trisul vs Bro approaches to the same problem  =====
 Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into.
-  - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers
+  - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers. SSL Resources contain the DER format certificate chain.
-  - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
+  - the **FTS** stream: a complete text dump in some canonical format. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
-You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document.
+You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document.  If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL  BIGNUM library]] from a script
 ==== Analysing the sample PCAP in Trisul ====