[netsa-tools-discuss] New tool releases: YAF 2.8.0 and super_mediator 1.2.0

Emily Sarneso ecoff at cert.org
Mon Dec 28 09:27:07 EST 2015


Hello Alexandre,

Unfortunately I didn’t include raw certificate export in this super_mediator release.  

You can filter out the flows that contain the X.509 certificates and export them in IPFIX by adding the following to the EXPORTER block:

APPLICATION == 443
DPI_ONLY

However, this will include the full flow record with the certificates (the same way YAF exports them).  

I didn’t include raw certificate export in this release, primarily because I wasn’t sure how I wanted to do it.  I could easily export the single field (298) in IPFIX to a file(s) but you would still need some IPFIX reader to process the information.  I would be interested in hearing your use cases for this data and how you would like super_mediator to export the certificates.

Thanks,

Emily


--------------------
Emily Sarneso
CMU/SEI/CERT
ecoff at cert.org





On Dec 24, 2015, at 6:51 AM, Alexandre Dulaunoy <a at foo.be> wrote:

> On Wed, Dec 23, 2015 at 2:27 PM, Emily Sarneso <ecoff at cert.org> wrote:
> 
>>        * New option for exporting entire X.509 Certificate
> 
> Thank you for incorporating the export of entire X.509 certificate.
> 
> I enabled the export as recommended in the documentation and disable
> the hash within the yaf DPI :
> 
> yafDPIRules.conf:cert_export_enabled = 1
> yafDPIRules.conf:cert_hash_enabled = 0
> 
> It seems that yaf includes sslCertificate (IE 296)
> 
> [2015-12-24 11:15:51] yaf starting
> [2015-12-24 11:15:51] Initializing Rules From File:
> /usr/local/etc/yafApplabelRules.conf
> [2015-12-24 11:15:51] Application Labeler accepted 44 rules.
> [2015-12-24 11:15:51] Application Labeler accepted 0 signatures.
> [2015-12-24 11:15:51] DPI Running for 5 Protocols
> [2015-12-24 11:15:51] Initializing Rules from DPI File
> /usr/local/etc/yafDPIRules.conf
> [2015-12-24 11:15:51] SSL [Full] Certificate Export Enabled.
> [2015-12-24 11:15:51] DPI rule scanner accepted 25 rules from the DPI Rule File
> [2015-12-24 11:15:51] DPI regular expressions cover 2 protocols
> 
> Using super_mediator and trying to export the raw certificate. I can
> get the SHA1 hash which
> is correct while checking on another Passive SSL database but I cannot
> get the raw certificate
> as is.
> 
> I tried to get 296 in addition to 298 (sslCertificateSHA1):
> 
>  OTHER [298, 296]
> 
> The hash is properly calculated but the raw certificate is not
> present. In the super_mediator configuration,
> I haven't seen a reference to 296
> (https://tools.netsa.cert.org/super_mediator/super_mediator.conf.html).
> 
> Am I doing something wrong? or is the raw export not supported by
> super_mediator?
> 
> Thank you very much.
> 
> Cheers.
> 



More information about the netsa-tools-discuss mailing list