[netsa-tools-discuss] New tool releases: YAF 2.8.0 and super_mediator 1.2.0
Alexandre Dulaunoy
a at foo.be
Thu Dec 24 06:51:38 EST 2015
On Wed, Dec 23, 2015 at 2:27 PM, Emily Sarneso <ecoff at cert.org> wrote:
> * New option for exporting entire X.509 Certificate
Thank you for incorporating the export of entire X.509 certificate.
I enabled the export as recommended in the documentation and disable
the hash within the yaf DPI :
yafDPIRules.conf:cert_export_enabled = 1
yafDPIRules.conf:cert_hash_enabled = 0
It seems that yaf includes sslCertificate (IE 296)
[2015-12-24 11:15:51] yaf starting
[2015-12-24 11:15:51] Initializing Rules From File:
/usr/local/etc/yafApplabelRules.conf
[2015-12-24 11:15:51] Application Labeler accepted 44 rules.
[2015-12-24 11:15:51] Application Labeler accepted 0 signatures.
[2015-12-24 11:15:51] DPI Running for 5 Protocols
[2015-12-24 11:15:51] Initializing Rules from DPI File
/usr/local/etc/yafDPIRules.conf
[2015-12-24 11:15:51] SSL [Full] Certificate Export Enabled.
[2015-12-24 11:15:51] DPI rule scanner accepted 25 rules from the DPI Rule File
[2015-12-24 11:15:51] DPI regular expressions cover 2 protocols
Using super_mediator and trying to export the raw certificate. I can
get the SHA1 hash which
is correct while checking on another Passive SSL database but I cannot
get the raw certificate
as is.
I tried to get 296 in addition to 298 (sslCertificateSHA1):
OTHER [298, 296]
The hash is properly calculated but the raw certificate is not
present. In the super_mediator configuration,
I haven't seen a reference to 296
(https://tools.netsa.cert.org/super_mediator/super_mediator.conf.html).
Am I doing something wrong? or is the raw export not supported by
super_mediator?
Thank you very much.
Cheers.
More information about the netsa-tools-discuss
mailing list