From ac0b120aa26f006a03f88158c515b19c6e8e5032 Mon Sep 17 00:00:00 2001 From: Sandeep Singh Date: Sat, 8 Oct 2022 03:06:24 +0530 Subject: [PATCH] mismatched ssl detection + ssl template updates (#5256) * mismatched ssl detection + ssl template updates * misc fix --- ssl/deprecated-tls.yaml | 4 ++-- ssl/detect-ssl-issuer.yaml | 4 ++-- ssl/expired-ssl.yaml | 8 +++++++- ssl/mismatched-ssl.yaml | 15 +++++++++++++++ ssl/self-signed-ssl.yaml | 15 +-------------- ssl/ssl-dns-names.yaml | 2 +- ssl/tls-version.yaml | 2 +- 7 files changed, 29 insertions(+), 21 deletions(-) create mode 100644 ssl/mismatched-ssl.yaml diff --git a/ssl/deprecated-tls.yaml b/ssl/deprecated-tls.yaml index 100968c9c57..ba9903927e6 100644 --- a/ssl/deprecated-tls.yaml +++ b/ssl/deprecated-tls.yaml @@ -16,8 +16,8 @@ info: ssl: - address: "{{Host}}:{{Port}}" - min_version: sslv3 - max_version: sslv3 + min_version: ssl30 + max_version: ssl30 extractors: - type: json diff --git a/ssl/detect-ssl-issuer.yaml b/ssl/detect-ssl-issuer.yaml index b6aaf608c2f..b146b346e51 100644 --- a/ssl/detect-ssl-issuer.yaml +++ b/ssl/detect-ssl-issuer.yaml @@ -1,4 +1,4 @@ -id: detect-ssl-issuer +id: ssl-issuer info: name: Detect SSL Certificate Issuer @@ -12,4 +12,4 @@ ssl: extractors: - type: json json: - - " .issuer_organization[]" + - " .issuer_org[]" diff --git a/ssl/expired-ssl.yaml b/ssl/expired-ssl.yaml index d72fb1e3794..f77e318d333 100644 --- a/ssl/expired-ssl.yaml +++ b/ssl/expired-ssl.yaml @@ -8,7 +8,13 @@ info: ssl: - address: "{{Host}}:{{Port}}" + matchers: - type: dsl dsl: - - "unixtime() > not_after" + - "expired == true" + + extractors: + - type: kval + kval: + - "not_after" \ No newline at end of file diff --git a/ssl/mismatched-ssl.yaml b/ssl/mismatched-ssl.yaml new file mode 100644 index 00000000000..f688c931e58 --- /dev/null +++ b/ssl/mismatched-ssl.yaml @@ -0,0 +1,15 @@ +id: mismatched-ssl + +info: + name: Mismatched SSL Certificate + author: pdteam + severity: low + tags: ssl + +ssl: + - address: "{{Host}}:{{Port}}" + + matchers: + - type: dsl + dsl: + - "mismatched == true" \ No newline at end of file diff --git a/ssl/self-signed-ssl.yaml b/ssl/self-signed-ssl.yaml index ff4d602cb57..fca7bdcca13 100644 --- a/ssl/self-signed-ssl.yaml +++ b/ssl/self-signed-ssl.yaml @@ -9,20 +9,7 @@ info: ssl: - address: "{{Host}}:{{Port}}" - extractors: - - type: json - name: common_name - json: - - ".common_name[]" - internal: true - - - type: json - name: issuer_common_name - json: - - ".issuer_common_name[]" - internal: true - matchers: - type: dsl dsl: - - "common_name == issuer_common_name" \ No newline at end of file + - "self_signed == true" \ No newline at end of file diff --git a/ssl/ssl-dns-names.yaml b/ssl/ssl-dns-names.yaml index 34fda5a6e25..0e29bbfb1ef 100644 --- a/ssl/ssl-dns-names.yaml +++ b/ssl/ssl-dns-names.yaml @@ -12,4 +12,4 @@ ssl: extractors: - type: json json: - - " .dns_names[]" + - ".subject_an[]" \ No newline at end of file diff --git a/ssl/tls-version.yaml b/ssl/tls-version.yaml index c5d3afc1db5..db5327af298 100644 --- a/ssl/tls-version.yaml +++ b/ssl/tls-version.yaml @@ -12,4 +12,4 @@ ssl: extractors: - type: json json: - - " .tls_version" + - ".tls_version"