Anyone know if Splunk Stream can log the ciphers negotiated during a TLS handshake? I'm thinking about using it to detect when a LogJam (CVE-2015-4000) attack has occurred.
I can't see anything relevant listed for SSL/ TLS in the doco, but I figure it doesn't hurt to ask: http://docs.splunk.com/Documentation/StreamApp/6.2.2/DeployStreamApp/Whattypeofdatadoesthisappcollec...
It looks like our docs are missing several of the SSL fields available in TCP flow events. Give this query a try:
sourcetype=stream:tcp ssl_signature_algorithm=* | stats count by ssl_signature_algorithm
This search works but I have a large number of hits where sslsignaturealgorithm is not populated ie. is empty.
Any idea why?
I believe it is only populated when there is a new SSL session/handshake. So, it will be empty for subsequent TCP flows that re-use previously negotiated session keys.