Re: Is there a way for Splunk to verify that a web...

ecedwards · ‎06-21-2018

We are trying to figure out a way to monitor all of our websites to make sure Chrome does not filter them as "Site is not fully secured". Need assistance for this to see if it's possible or only through external tools.

darrenfuller · ‎06-22-2018

Chrome et all will post "site is not secured" when you have no SSL, or when your SSL certificate is not signed by a trusted CA or when your certificates are expired.

So , to monitor for this, you need to have some mechanism open each of your web sites, parse the certificate that the web site is presenting into Splunk Indexes and then alert when the data is not as expected.

The easiest way I can think of to do this would be to write a script that uses the openssl binaries to open your website.

A one line example to get this data would be:

# One liner CLI to get cert info from a web site: 

echo | openssl s_client -showcerts -servername website.domain.com -connect website.domain.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

When i run that against my Splunk server, i get output like the following:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 15712124552693347650 (0xda0cae08c5faf542)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, L=San Francisco, O=Splunk, CN=Splunk                               CommonCA/emailAddress=support@splunk.com
        Validity
            Not Before: Dec  2 22:07:37 2016 GMT
            Not After : Dec  2 22:07:37 2019 GMT
        Subject: CN=SplunkServerDefaultCert, O=SplunkUser
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ba:a6:4e:0a:a2:1c:17:c0:b1:63:57:3d:0e:f2:
                    34:5c:82:21:ae:a1:d4:3c:3e:15:2c:8b:77:9c:c8:
                    c2:92:d1:aa:05:e1:b7:8e:b8:a2:05:fa:6d:a4:0f:
                    cc:fe:84:b4:75:eb:f2:3e:59:8f:15:85:84:de:81:
                    b0:b2:bf:cf:a8:10:55:9c:d3:4a:4f:db:bc:e3:5c:
                    d4:ce:74:af:96:fa:98:ec:81:be:76:aa:cb:9f:ba:
                    00:92:15:b0:a4:f1:5a:d0:c1:e2:52:10:ba:7c:2a:
                    33:36:c9:73:e3:c0:8f:1f:a8:79:dd:05:51:92:e3:
                    78:9c:fb:b4:b2:df:fd:be:f1
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         32:09:ab:35:32:af:17:d2:ee:94:ef:ca:18:33:4c:bf:0e:a1:
         ea:f4:08:4f:c1:ff:ea:e4:3e:64:23:c7:f5:2d:46:11:83:4b:
         ec:70:99:c9:1f:fa:9d:53:50:c4:f0:a5:e8:f2:aa:f3:a4:11:
         c2:68:51:72:b1:67:de:86:86:69:96:f3:35:84:84:ca:99:dd:
         67:e7:32:3a:ca:b6:3d:f0:77:b0:c7:25:f4:e0:35:2e:d5:79:
         1d:50:38:45:b0:ad:c5:86:db:73:5f:63:82:05:8c:d8:7f:28:
         45:2a:17:84:13:de:b5:f2:2e:07:dc:70:de:87:38:2b:ca:d2:
         6e:fc

so, if you create a shell script for each of your web sites, output the appropriate data from the script to index, you can then alert when the dates are close or expired, if the signing information is showing different than you expect or if the SSL is turned off for some reason.

...is this what you are looking for ... or did i miss the mark?

ecedwards · ‎06-25-2018

We have something similar with a Python script which already does this and it is being logged in our Splunk server, plus we also have alerts setup for the same.

The idea is to pretty much have an overview of our websites where sometimes "Mixed Content" is triggered due to an external .css or .js file is loaded through HTTP instead of HTTPs, therefore it will generate a message saying "The site is not fully secured". This is what we are trying to detect.

Best Regards!

Is there a way for Splunk to verify that a website is fully secured on Chrome

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases