[netsa-tools-discuss] New tool releases: YAF 2.8.0 and super_mediator 1.2.0

Alexandre Dulaunoy a at foo.be
Mon Dec 28 17:20:12 EST 2015


On Mon, Dec 28, 2015 at 3:27 PM, Emily Sarneso <ecoff at cert.org> wrote:
> Hello Alexandre,

Hi Emily,

Thank you for the quick feedback.

> Unfortunately I didn’t include raw certificate export in this super_mediator release.
>
> You can filter out the flows that contain the X.509 certificates and export them in IPFIX by adding the following to the EXPORTER block:
>
> APPLICATION == 443
> DPI_ONLY
>
> However, this will include the full flow record with the certificates (the same way YAF exports them).

This is nice and that indeed works very well. I can get the
subTemplate containing the data records with the basicList for
sslCertificate.

> I didn’t include raw certificate export in this release, primarily because I wasn’t sure how I wanted to do it.  I could easily export the single field (298) in IPFIX to a file(s) but you would still need some IPFIX reader to process the information.  I would be interested in hearing your use cases for this data and how you would like super_mediator to export the certificates.

As we want to use as much as possible super_mediator, the ability to
export raw SSL certificate would be really a nifty feature.

Our approach is the following, we use super_mediator to export JSON
for each 5 minutes yaf files. The JSON files are then dispatched via a
ZMQ PUB-SUB channel to be processed by other tools.

So the raw export could be included within the JSON especially within
the section sslCertList for each element of the array as
"sslCertificate" encoded in Base64 if presents.

Does this make sense to you?

Cheers.


More information about the netsa-tools-discuss mailing list