Bro SSL cert verification
Tim Desrochers
Thanks
Seth Hall
> On Nov 1, 2015, at 4:52 PM, Tim Desrochers <tgdesr...@gmail.com> wrote:
>
> Where does bro pull from to validate SSL certificates. All of my sensors have no internet access so I always get SSL certificate failures. If I know the site used to validate the certs u can ask my data center admin to allow access to that soecificate site.
There is an additional script that checks with our Certificate Notary to see if we’ve seen the certificate before, but that script isn’t loaded by default and doesn’t sound like that’s what you’re curious about.
If you are curious about the certificate notary, you can see more information about it here:
https://notary.icsi.berkeley.edu
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
Tim Desrochers
Tim Desrochers
cert authority
Doug Burks
could provide an example, we could provide more information.
On Mon, Nov 16, 2015 at 9:02 PM, Tim Desrochers <tgdesr...@gmail.com> wrote:
> My next question would be why do I get so many notice.log entries for unable to verify ssl certification. I thought it was because I wasnt comparing them to some
> cert authority
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Seth Hall
> On Nov 16, 2015, at 9:02 PM, Tim Desrochers <tgdesr...@gmail.com> wrote:
>
> My next question would be why do I get so many notice.log entries for unable to verify ssl certification. I thought it was because I wasnt comparing them to some
> cert authority
This is an area I’ve been meaning to dig into more for quite a while. Getting signing certificates included with Bro from all of these other “known” CAs that aren’t in the browser CA lists.
Michael Bower
https://log.nusec.eu/nsm/bro_root_certs.html#short-and-easy-version
I was seeing a lot of validation errors on internal servers. I used gen_certs.py to add the cert for our internal CA.
Mike
Tim Desrochers
<pre>
{"ts":1448280050008,"uid":"ChkLne3kWXsOYQPtsi","id.orig_h":"192.168.10.118","id.orig_p":49756,"id.resp_h":"23.3.81.33","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (unable to get local issuer certificate)","sub":"CN=*.marketo.com,OU=CDN,O=Marketo\u005c, Inc.,L=San Mateo,ST=CA,C=US","src":"192.168.10.118","dst":"23.3.81.33","p":443,"peer_descr":"satcon99-eth2-2","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
{"ts":1448280056050,"uid":"Cg2lfQBm0GDJAU6j6","id.orig_h":"192.168.10.118","id.orig_p":49785,"id.resp_h":"23.7.185.50","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (unable to get local issuer certificate)","sub":"CN=*.marketo.net,OU=CDN,O=Marketo\u005c, Inc.,L=San Mateo,ST=CA,C=US","src":"192.168.10.118","dst":"23.7.185.50","p":443,"peer_descr":"satcon99-eth2-2","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
{"ts":1448280062003,"uid":"CtfJEV3OqHpYpHARUg","id.orig_h":"192.168.10.110","id.orig_p":52876,"id.resp_h":"104.68.142.253","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (unable to get local issuer certificate)","sub":"CN=*.insightexpressai.com,OU=Information Technology,O=InsightExpress LLC,L=Stamford,ST=CT,C=US","src":"192.168.10.110","dst":"104.68.142.253","p":443,"peer_descr":"satcon99-eth2-2","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
{"ts":1448280062224,"uid":"CEfcM121bMU88ELt5l","id.orig_h":"192.168.10.110","id.orig_p":52882,"id.resp_h":"172.231.233.203","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (unable to get local issuer certificate)","sub":"CN=*.ssl.cf2.rackcdn.com,OU=CloudFiles,O=Rackspace US\u005c, Inc,L=San Antonio,ST=TX,C=US","src":"192.168.10.110","dst":"172.231.233.203","p":443,"peer_descr":"satcon99-eth2-2","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
{"ts":1448280063361,"uid":"CUpzF5R9kejBguxHd","id.orig_h":"192.168.10.118","id.orig_p":49854,"id.resp_h":"23.3.101.243","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (unable to get local issuer certificate)","sub":"CN=*.rnengage.com,OU=Cloud Services,O=Oracle Corporation,L=Redwood Shores,ST=CA,C=US","src":"192.168.10.118","dst":"23.3.101.243","p":443,"peer_descr":"satcon99-eth2-2","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
{"ts":1448280096676,"uid":"CatE4T3OdOizNmwCN6","id.orig_h":"192.168.10.110","id.orig_p":52944,"id.resp_h":"69.172.216.111","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (certificate has expired)","sub":"CN=*.adsafeprotected.com,OU=Operations,O=Ad Safe Media\u005c, Ltd.,L=New York,ST=New York,C=US","src":"192.168.10.110","dst":"69.172.216.111","p":443,"peer_descr":"satcon99-eth2-2","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
{"ts":1448280164137,"uid":"CeSVBU2YQRaUQXYYyc","id.orig_h":"192.168.10.118","id.orig_p":50027,"id.resp_h":"65.55.44.108","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (unable to get local issuer certificate)","sub":"CN=settings-win.data.microsoft.com,OU=WSE,O=Microsoft,L=Redmond,ST=WA,C=US","src":"192.168.10.118","dst":"65.55.44.108","p":443,"peer_descr":"satcon99-eth2-2","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
{"ts":1448280500342,"uid":"CoF27hlAxihFGEu04","id.orig_h":"192.168.10.111","id.orig_p":49182,"id.resp_h":"65.55.44.109","id.resp_p":443,"proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL certificate validation failed with (unable to get local issuer certificate)","sub":"CN=*.vortex-win.data.microsoft.com,OU=WSE,O=Microsoft,L=Redmond,ST=WA,C=US","src":"192.168.10.111","dst":"65.55.44.109","p":443,"peer_descr":"satcon99-eth2-1","actions":["Notice::ACTION_LOG"],"suppress_for":3600.0,"dropped":false}
</pre>
Here you can see I get a few "unable to get local issuer certificate" notices. After reading the explanations above I assume that these are not able to get local issuer because they either are signed by a non-public certificate authority or were added to the CA after the last update to bro was pushed?