script:x509_ext_c2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
script:x509_ext_c2 [2018/02/08 23:51] – [Analysing the sample PCAP in Trisul] veera | script:x509_ext_c2 [2018/02/09 00:01] (current) – [Analysing the sample PCAP in Trisul] veera | ||
---|---|---|---|
Line 3: | Line 3: | ||
I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https:// | I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https:// | ||
- | In this technique the covert channel is built by stuffing chunks of data into X.509 Certificate Extensions, in this case the " | + | In this technique the covert channel is built by stuffing chunks of data into X.509 Certificate Extensions, in this case the " |
- | Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken. | + | Detecting this is quite easy with [[https:// |
- | ===== The Full Text Search FTS Document | + | ===== Trisul vs Bro approaches to the same problem |
Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. | Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. | ||
- | - the **Resource** stream: | + | - the **Resource** stream: |
- | - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, | + | - the **FTS** stream: a complete text dump in some canonical format. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, |
- | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document. | + | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events |
==== Analysing the sample PCAP in Trisul ==== | ==== Analysing the sample PCAP in Trisul ==== | ||
Line 24: | Line 24: | ||
- | Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// | + | Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// |
I just put together a quick [[https:// | I just put together a quick [[https:// |
script/x509_ext_c2.1518114077.txt.gz · Last modified: 2018/02/08 23:51 by veera