[netsa-tools-discuss] New tool releases: YAF 2.8.0 and super_mediator 1.2.0
Emily Sarneso
ecoff at cert.org
Mon Dec 28 09:27:07 EST 2015
Hello Alexandre,
Unfortunately I didn’t include raw certificate export in this super_mediator release.
You can filter out the flows that contain the X.509 certificates and export them in IPFIX by adding the following to the EXPORTER block:
APPLICATION == 443
DPI_ONLY
However, this will include the full flow record with the certificates (the same way YAF exports them).
I didn’t include raw certificate export in this release, primarily because I wasn’t sure how I wanted to do it. I could easily export the single field (298) in IPFIX to a file(s) but you would still need some IPFIX reader to process the information. I would be interested in hearing your use cases for this data and how you would like super_mediator to export the certificates.
Thanks,
Emily
--------------------
Emily Sarneso
CMU/SEI/CERT
ecoff at cert.org
On Dec 24, 2015, at 6:51 AM, Alexandre Dulaunoy <a at foo.be> wrote:
> On Wed, Dec 23, 2015 at 2:27 PM, Emily Sarneso <ecoff at cert.org> wrote:
>
>> * New option for exporting entire X.509 Certificate
>
> Thank you for incorporating the export of entire X.509 certificate.
>
> I enabled the export as recommended in the documentation and disable
> the hash within the yaf DPI :
>
> yafDPIRules.conf:cert_export_enabled = 1
> yafDPIRules.conf:cert_hash_enabled = 0
>
> It seems that yaf includes sslCertificate (IE 296)
>
> [2015-12-24 11:15:51] yaf starting
> [2015-12-24 11:15:51] Initializing Rules From File:
> /usr/local/etc/yafApplabelRules.conf
> [2015-12-24 11:15:51] Application Labeler accepted 44 rules.
> [2015-12-24 11:15:51] Application Labeler accepted 0 signatures.
> [2015-12-24 11:15:51] DPI Running for 5 Protocols
> [2015-12-24 11:15:51] Initializing Rules from DPI File
> /usr/local/etc/yafDPIRules.conf
> [2015-12-24 11:15:51] SSL [Full] Certificate Export Enabled.
> [2015-12-24 11:15:51] DPI rule scanner accepted 25 rules from the DPI Rule File
> [2015-12-24 11:15:51] DPI regular expressions cover 2 protocols
>
> Using super_mediator and trying to export the raw certificate. I can
> get the SHA1 hash which
> is correct while checking on another Passive SSL database but I cannot
> get the raw certificate
> as is.
>
> I tried to get 296 in addition to 298 (sslCertificateSHA1):
>
> OTHER [298, 296]
>
> The hash is properly calculated but the raw certificate is not
> present. In the super_mediator configuration,
> I haven't seen a reference to 296
> (https://tools.netsa.cert.org/super_mediator/super_mediator.conf.html).
>
> Am I doing something wrong? or is the raw export not supported by
> super_mediator?
>
> Thank you very much.
>
> Cheers.
>
More information about the netsa-tools-discuss
mailing list