Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » script » Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API
Trace:
script:x509_ext_c2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
script:x509_ext_c2 [2018/02/08 23:53] – [Detecting covert channels in X.509 Digital Certificates using the Trisul LUA API] veerascript:x509_ext_c2 [2018/02/09 00:01] (current) – [Analysing the sample PCAP in Trisul] veera
Line 5: Line 5:
 In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes !  In this technique the covert channel is built by stuffing chunks of data into  X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes.  However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value.  The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! 
  
-Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken.+Detecting this is quite easy with [[https://trisul.org/docs/lua|Trisul]] as well as [[https://www.bro.org/|Bro IDS]]. This post highlights the Trisul approach.
  
-===== The Full Text Search FTS Document =====+===== Trisul vs Bro approaches to the same problem  =====
  
 Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into.  Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. 
  
-  - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers +  - the **Resource** stream:  these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers. SSL Resources contain the DER format certificate chain. 
-  - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.+  - the **FTS** stream: a complete text dump in some canonical formatFor example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command.
  
-You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document. +You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document.  If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL  BIGNUM library]] from a script
  
 ==== Analysing the sample PCAP in Trisul ==== ==== Analysing the sample PCAP in Trisul ====
Line 24: Line 24:
  
  
-Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// By moving this out of the //Fast Packet Path// (For more on Fast Path and Slow Path in Trisul LUA API see [[https://www.trisul.org/docs/lua/basics.html#stream_processing|"Stream Processing"]])) Trisul gives your scripts a large time budget a few seconds to process without incurring packet loss.  The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose.+Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path// By moving this out of the //Fast Packet Path// ((For more on Fast Path and Slow Path in Trisul LUA API see [[https://www.trisul.org/docs/lua/basics.html#stream_processing|"Stream Processing"]])) Trisul gives your scripts a large time budget a few seconds to process without incurring packet loss.  The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose.
  
 I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using a simple regex. The snippet is shown below I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using a simple regex. The snippet is shown below
script/x509_ext_c2.1518114212.txt.gz · Last modified: 2018/02/08 23:53 by veera