Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » app » TLS Fingerprinting using Trisul
Trace: Live capture vs PCAP files Configuring ERSPAN packet capture for Network Security Monitoring TLS Fingerprinting using Trisul
app:tlsfingerprint

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
app:tlsfingerprint [2017/11/29 17:32]
veera [What is TLS Fingerprinting] 		app:tlsfingerprint [2018/03/04 07:57] (current)
veera
Line 1: Line 1:
-~~Title: ​SJLJSADJA ​~~ +~~Title: ​TLS Fingerprinting using Trisul ​~~ 
  
 ====== TLS Fingerprinter ====== ====== TLS Fingerprinter ======
Line 45: Line 45:
 ==== Analysis of TLS Fingerprints ==== ==== Analysis of TLS Fingerprints ====
    
-What are you going to do with these prints. There are a few options ​ +There are two actionable things ​you can do with these prints 
 + 
   * **Malware prints** ​ - These are hard to come by  but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc.   * **Malware prints** ​ - These are hard to come by  but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc.
   * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "​Triage state" where a human can look into it.    * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "​Triage state" where a human can look into it. 
- 
-In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS.  
- 
-Lets look at what you can do with TrisulNSM and the new TLS Prints App. 
  
  
Line 101: Line 97:
 ===== Programatically resolving TLS Prints ===== ===== Programatically resolving TLS Prints =====
  
-This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. ​+This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. We released a TRP Ruby script to [[app:​auto_fingerprint|programatically resolve TLS Prints using Web Server Access Logs]].
  
  
app/tlsfingerprint.1511976748.txt.gz · Last modified: 2017/11/29 17:32 by veera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki