Solved: Can the Splunk App for Stream log the ciphers nego...

cygnetix · ‎06-11-2015

Anyone know if Splunk Stream can log the ciphers negotiated during a TLS handshake? I'm thinking about using it to detect when a LogJam (CVE-2015-4000) attack has occurred.

I can't see anything relevant listed for SSL/ TLS in the doco, but I figure it doesn't hurt to ask: http://docs.splunk.com/Documentation/StreamApp/6.2.2/DeployStreamApp/Whattypeofdatadoesthisappcollec...

mdickey_splunk · ‎06-11-2015

It looks like our docs are missing several of the SSL fields available in TCP flow events. Give this query a try:

sourcetype=stream:tcp ssl_signature_algorithm=* | stats count by ssl_signature_algorithm

View solution in original post

mdickey_splunk · ‎06-11-2015

It looks like our docs are missing several of the SSL fields available in TCP flow events. Give this query a try:

sourcetype=stream:tcp ssl_signature_algorithm=* | stats count by ssl_signature_algorithm

vlado · ‎06-11-2015

This search works but I have a large number of hits where ssl_signature_algorithm is not populated ie. is empty.

Any idea why?

mdickey_splunk · ‎06-12-2015

I believe it is only populated when there is a new SSL session/handshake. So, it will be empty for subsequent TCP flows that re-use previously negotiated session keys.

Can the Splunk App for Stream log the ciphers negotiated during a TLS handshake to detect when a LogJam attack has occurred?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!