All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can the Splunk App for Stream log the ciphers negotiated during a TLS handshake to detect when a LogJam attack has occurred?

cygnetix
Path Finder
‎06-11-2015 03:27 PM

Anyone know if Splunk Stream can log the ciphers negotiated during a TLS handshake? I'm thinking about using it to detect when a LogJam (CVE-2015-4000) attack has occurred.

I can't see anything relevant listed for SSL/ TLS in the doco, but I figure it doesn't hurt to ask: http://docs.splunk.com/Documentation/StreamApp/6.2.2/DeployStreamApp/Whattypeofdatadoesthisappcollec...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdickey_splunk
Splunk Employee
Splunk Employee
‎06-11-2015 04:00 PM

It looks like our docs are missing several of the SSL fields available in TCP flow events. Give this query a try:

sourcetype=stream:tcp ssl_signature_algorithm=* | stats count by ssl_signature_algorithm

View solution in original post

Reply
Solved! Jump to solution
Solution

mdickey_splunk
Splunk Employee
Splunk Employee
‎06-11-2015 04:00 PM

It looks like our docs are missing several of the SSL fields available in TCP flow events. Give this query a try:

sourcetype=stream:tcp ssl_signature_algorithm=* | stats count by ssl_signature_algorithm
Reply
Solved! Jump to solution

vlado
Engager
‎06-11-2015 06:32 PM

This search works but I have a large number of hits where ssl_signature_algorithm is not populated ie. is empty.

Any idea why?

0 Karma
Reply
Solved! Jump to solution

mdickey_splunk
Splunk Employee
Splunk Employee
‎06-12-2015 08:27 AM

I believe it is only populated when there is a new SSL session/handshake. So, it will be empty for subsequent TCP flows that re-use previously negotiated session keys.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...