cancel
Showing results for 
Search instead for 
Did you mean: 
bkirk
Level 7

Certificates associated with malware added to SSL Blacklist

Jump to solution

SC Mag has an article related to blocking web traffic to certificates associated with malware. 

http://www.scmagazine.com/certificates-associated-with-malware-added-to-ssl-blacklist/article/361264...

Has anyone done this in webgateway I would be interested in applying this to my ruleset, using the external list they have in the article.

Thank you,

Brian

1 Solution

Accepted Solutions
asabban
Level 17

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hello,

there are two ways to add the list.

1)


To add it as a "subscribed list", e.g. a list that shows up along with its content in the "lists" section of the UI you have to make a local copy of the list and modify it, since MWG cannot understand the format the list is in. If there is a web server running somewhere use a command like this (probably via cron) to mark up the list. It is also important to tell the type of the list, which is done by writing it into the very first line:

$ echo "type=string" > ssl_subscribed_list.txt && curl -s "https://sslbl.abuse.ch/blacklist/sslblacklist.csv" | grep -v ^# | cut -d, -f 2 >> ssl_subscribed_list.txt

It will write a file "ssl_subscribed_list.txt" with only sha SHA1 hashes in it. You can add this as a string list to MWG now:

2014-07-22 11_32_53-Setup.png

The list shows up in MWG:

2014-07-22 11_33_57-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

You can now easily make a rule that says "SSL.Server.Certificate.SHA1Digest is in list  <your list> => Block".

2.)

Use an external list with cache. The external list basically is a "live lookup" so you tell MWG to fetch the blacklist when an SSL web site is visited. The nice thing for external lists is that you can pre-define the content type and apply a regular expression when the call to the web server is made. Set the cache to 90 minutes or higher to avoid MWG fetching the list too often.

Basically when a user accesses an HTTPS web site MWG calls the Blacklist (or uses the locally cached copy). It uses a regular expression to remove everything but the SHA1 hashes, so a string list with SHA1 hashes comes back and is stored in a user-defined property.


You can apply a rule like "SSL.Server.Certificate.SHA1Digest is in list <your user-defined property> => Block".

The nice thing is that you generally do not need to make a copy of the list. The downside is that for every HTTPS site request MWG theoretically polls the server. The cache helps here. When the server is down it is possible that MWG will present an error to the user while the "subscribed list" in 1.) continues to work as it resides on the disk and not only in memory.

I will add an example for 2.). I strongly recommend to use option 1. If there is enough interest I can also find out if we are allowed to provide you with a pre-converted list which would come as a "McAfee Maintained" list.

Best,

Andre

Nachricht geändert durch asabban on 22.07.14 11:42:12 MESZ

Nachricht geändert durch asabban on 22.07.14 11:44:01 MESZ

Nachricht geändert durch asabban on 22.07.14 11:47:13 MESZ
9 Replies
McAfee Employee

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hi Brian,

In the certificate verification ruleset, you could create another rule to look at the SHA1 hash of the certificate and block based on the sha1 hash.

MWG has properties for this:

SSL.Server.Certificate.SHA1Digest

Additionally, @asabban, created a McAfee Maintained list for certificates "This list contains SHA1 hashes of certificates which are known to be fraudulent and/or used for malicious activities.". Currently it is populated with a few related to google and yahoo.

Best,

Jon

bkirk
Level 7

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Ok is there an easy way to add this list?

https://sslbl.abuse.ch/blacklist/sslblacklist.csv

Here is a snippet from the list.  When I load this into a external customered maintained list of type string it fails with the following error

Coordinator error Update of customer subscribed list: preview (com.scur.type.string.139) failed. Not possible to create the list because the content could not be identified

################################################################
# abuse.ch SSL Fingerprint Blacklist (CSV)                     #
# Last updated: 2014-07-21 18:00:01 (UTC)                      #
#                                                              #
# Terms Of Use: https://sslbl.abuse.ch/blacklist/              #
# For questions please contact sslbl [at] abuse.ch             #
################################################################
#
# Timestamp of Listing (UTC),SSL certificate SHA1 Fingerprint,Listing reason
2014-07-19 07:33:58,27fc1e59181f38788c4987086c3338c1af107820,KINS C&C
2014-07-19 07:32:51,be1a584a85c879f8555d984fc36bef69db6d8ad5,KINS C&C
2014-07-19 07:22:53,82e215a96a60b2effd68d89c35e4aef0f8ca6349,KINS C&C
2014-07-19 07:22:51,4ec974448fe04ab3697ac708cc6542efd4b3e46c,KINS C&C

Message was edited by: bkirk on 7/21/14 1:28:46 PM CDT
0 Kudos
asabban
Level 17

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hello,

there are two ways to add the list.

1)


To add it as a "subscribed list", e.g. a list that shows up along with its content in the "lists" section of the UI you have to make a local copy of the list and modify it, since MWG cannot understand the format the list is in. If there is a web server running somewhere use a command like this (probably via cron) to mark up the list. It is also important to tell the type of the list, which is done by writing it into the very first line:

$ echo "type=string" > ssl_subscribed_list.txt && curl -s "https://sslbl.abuse.ch/blacklist/sslblacklist.csv" | grep -v ^# | cut -d, -f 2 >> ssl_subscribed_list.txt

It will write a file "ssl_subscribed_list.txt" with only sha SHA1 hashes in it. You can add this as a string list to MWG now:

2014-07-22 11_32_53-Setup.png

The list shows up in MWG:

2014-07-22 11_33_57-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

You can now easily make a rule that says "SSL.Server.Certificate.SHA1Digest is in list  <your list> => Block".

2.)

Use an external list with cache. The external list basically is a "live lookup" so you tell MWG to fetch the blacklist when an SSL web site is visited. The nice thing for external lists is that you can pre-define the content type and apply a regular expression when the call to the web server is made. Set the cache to 90 minutes or higher to avoid MWG fetching the list too often.

Basically when a user accesses an HTTPS web site MWG calls the Blacklist (or uses the locally cached copy). It uses a regular expression to remove everything but the SHA1 hashes, so a string list with SHA1 hashes comes back and is stored in a user-defined property.


You can apply a rule like "SSL.Server.Certificate.SHA1Digest is in list <your user-defined property> => Block".

The nice thing is that you generally do not need to make a copy of the list. The downside is that for every HTTPS site request MWG theoretically polls the server. The cache helps here. When the server is down it is possible that MWG will present an error to the user while the "subscribed list" in 1.) continues to work as it resides on the disk and not only in memory.

I will add an example for 2.). I strongly recommend to use option 1. If there is enough interest I can also find out if we are allowed to provide you with a pre-converted list which would come as a "McAfee Maintained" list.

Best,

Andre

Nachricht geändert durch asabban on 22.07.14 11:42:12 MESZ

Nachricht geändert durch asabban on 22.07.14 11:44:01 MESZ

Nachricht geändert durch asabban on 22.07.14 11:47:13 MESZ
McAfee Employee

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hi Andre!

For your ruleset you might want to add Command.Name equals CERTVERIFY to the ruleset criteria. If someone places it outside of the SSL scanning cerificate checking rules, then you will get a rule engine error (because there is no cert to filter).

Best,
jon

asabban
Level 17

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hey Jon,

yes thats right. I have talked to the guys who operate the blacklist and they gave me permission to make this into a "McAfee Maintained List". I will prepare the list and some new rules, so you don't need to bother about converting the list on your own.

Best,

Andre

bkirk
Level 7

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

That is great.  I have the current list in my test policy, but am looking forward to using a "McAfee Maintained List" instead of jumping through the hoops to get this list working.

Looking forward to your posting.

Thank you,

Brian

0 Kudos
asabban
Level 17

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hello,

I have created a rule set and a McAfee Maintained list. It should be enough to import the rule set which can be found at

https://contentsecurity.mcafee.com/ruleset_library?q=50044

It should automatically create the McAfee Maintained list. Also it contains the "CERTVERIFY" condition. I have tested it with a sample URL and it seems to work as expected. Please feel free to give it a try and please let me know in case things are unclear or any problems occur.

Best,

Andre

darkfell
Level 9

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hi. How can I create another McAfee Maintained list for information on zeus? (https://zeustracker.abuse.ch/blocklist.php)

0 Kudos
McAfee Employee

Re: Certificates associated with malware added to SSL Blacklist

Jump to solution

Hello,

that would be not a list maintained by us but by you - a Customer Maintained list.

here is a script (quick and dirty) that you can put into a cron on any web server and build a list:

#/bin/bash

wget --no-check-certificate "https://zeustracker.abuse.ch/blocklist.php?download=baddomains"

echo "type=string" > list.txt

cat blocklist.php\?download\=baddomains | grep -v "#" >> list.txt

This will produce a new file (list.txt) that can be imported as subscribed list.

thanks,

Michael

0 Kudos