User Tools
app:tlsfingerprint
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
app:tlsfingerprint [2017/11/29 17:32] veera [What is TLS Fingerprinting] |
app:tlsfingerprint [2018/03/04 07:57] (current) veera |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ~~Title: SJLJSADJA ~~ | + | ~~Title: TLS Fingerprinting using Trisul ~~ |
| ====== TLS Fingerprinter ====== | ====== TLS Fingerprinter ====== | ||
| Line 45: | Line 45: | ||
| ==== Analysis of TLS Fingerprints ==== | ==== Analysis of TLS Fingerprints ==== | ||
| - | What are you going to do with these prints. There are a few options | + | There are two actionable things you can do with these prints |
| + | |||
| * **Malware prints** - These are hard to come by but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc. | * **Malware prints** - These are hard to come by but if you can get a few prints from malware clients. You can flag them quickly. These will likely evade IDS because they use TLS to connect to presumably well known C&C servers with valid certificates etc. | ||
| * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "Triage state" where a human can look into it. | * **Anomaly detection** : If you can track known prints,then you can build a large Database over a period of time. After that you can send unseen prints into a "Triage state" where a human can look into it. | ||
| - | |||
| - | In both analysis paths,we think TLS Prints is a valuable piece of intel, especially given we are moving to pervasive TLS. | ||
| - | |||
| - | Lets look at what you can do with TrisulNSM and the new TLS Prints App. | ||
| Line 101: | Line 97: | ||
| ===== Programatically resolving TLS Prints ===== | ===== Programatically resolving TLS Prints ===== | ||
| - | This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. | + | This App dumps all fingerprints along with the parameters used to compute them into a log file. This allows us to programatically resolve unknown fingerprints. We released a TRP Ruby script to [[app:auto_fingerprint|programatically resolve TLS Prints using Web Server Access Logs]]. |
app/tlsfingerprint.1511976748.txt.gz · Last modified: 2017/11/29 17:32 by veera
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
