All Apps and Add-ons
Highlighted

Can the Splunk App for Stream log the ciphers negotiated during a TLS handshake to detect when a LogJam attack has occurred?

Path Finder

Anyone know if Splunk Stream can log the ciphers negotiated during a TLS handshake? I'm thinking about using it to detect when a LogJam (CVE-2015-4000) attack has occurred.

I can't see anything relevant listed for SSL/ TLS in the doco, but I figure it doesn't hurt to ask: http://docs.splunk.com/Documentation/StreamApp/6.2.2/DeployStreamApp/Whattypeofdatadoesthisappcollec...

0 Karma
Highlighted

Re: Can the Splunk App for Stream log the ciphers negotiated during a TLS handshake to detect when a LogJam attack has occurred?

Splunk Employee
Splunk Employee

It looks like our docs are missing several of the SSL fields available in TCP flow events. Give this query a try:

sourcetype=stream:tcp ssl_signature_algorithm=* | stats count by ssl_signature_algorithm

View solution in original post

Highlighted

Re: Can the Splunk App for Stream log the ciphers negotiated during a TLS handshake to detect when a LogJam attack has occurred?

Engager

This search works but I have a large number of hits where sslsignaturealgorithm is not populated ie. is empty.

Any idea why?

0 Karma
Highlighted

Re: Can the Splunk App for Stream log the ciphers negotiated during a TLS handshake to detect when a LogJam attack has occurred?

Splunk Employee
Splunk Employee

I believe it is only populated when there is a new SSL session/handshake. So, it will be empty for subsequent TCP flows that re-use previously negotiated session keys.

0 Karma