Differences

This shows you the differences between two versions of the page.

--- script:x509_ext_c2 [2018/02/09 00:00] – [Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API] veera
+++ script:x509_ext_c2 [2018/02/09 00:01] – [Trisul vs Bro approaches to the same problem] veera
@@ Line 12: / Line 12: @@
   - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers. SSL Resources contain the DER format certificate chain.
-  - the **FTS** stream: a complete text dump of the meta data. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
+  - the **FTS** stream: a complete text dump in some canonical format. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
 You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document.  If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL  BIGNUM library]] from a script