Grok filter for parsing SSL ciphers?


#1

Has anyone already created a Grok filter for extracting key exchange, encryption, signature and integrity information out of the OpenSSL cipher?

For example, I have the following raw information "ECDHE-RSA-CHACHA20-POLY1305" within the field "ssl_cipher".

This breaks down into:

  • "ssl_cipher_exchange" => "ECDHE"
  • "ssl_cipher_signature" => "RSA"
  • "ssl_cipher_encryption" => "CHACHA20""
  • "ssl_cipher_mac" => "POLY1305"

This could be a no-brainer, however it is not that simple. Have a look at the possible raw cipher information from the OpenSSL documentation (2nd column).

You will see, that there are much more "formats" for the raw information than the above mentioned example.

For example we also may have:

  • EXP-RC4-MD5
  • RC4-MD5
  • EXP-ADH-RC4-MD5
  • EXP-EDH-DSS-DES-CBC-SHA
  • DHE-DSS-SEED-SHA

The only solution I came up with was text matching instead of pattern matching. So I am matching for e.g. "ECDHE" and add the field manually.

Has anyone came up with a solution using Grok pattern matches instead of text matches?


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.