Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » script » Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API
Trace:
script:x509_ext_c2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
script:x509_ext_c2 [2018/02/08 23:57] – [The Full Text Search FTS Document] veerascript:x509_ext_c2 [2018/02/09 00:01] – [Trisul vs Bro approaches to the same problem] veera
Line 5: Line 5:
 In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes !  In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! 
  
-Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken.+Detecting this is quite easy with [[https://trisul.org/docs/lua|Trisul]] as well as [[https://www.bro.org/|Bro IDS]]. This post highlights the Trisul approach.
  
-===== The Full Text Search FTS Document =====+===== Trisul vs Bro approaches to the same problem  =====
  
 Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into.  Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. 
  
-  - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers +  - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers. SSL Resources contain the DER format certificate chain. 
-  - the **FTS** stream: a complete text dump of the meta data. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.+  - the **FTS** stream: a complete text dump in some canonical format. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
  
 You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document.  If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL  BIGNUM library]] from a script You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document.  If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL  BIGNUM library]] from a script
script/x509_ext_c2.txt · Last modified: 2018/02/09 00:01 by veera