Certstream Firehose
Full Recipe¶
Shared by: Ethan Bell
Reproduces the behavior of the certstream website by connecting to the certstream firehose via SSL-encrypted websocket and printing to standard out each time a new certificate is detected.
Certstream Firehose Recipe
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
|
Scenario¶
CertStream is an intelligence feed that gives you real-time updates from the Certificate Transparency Log network, allowing you to use it as a building block to make tools that react to new certificates being issued in real time.
This recipe connects to the curated public Certstream aggregation service managed by the team at Cali Dog Security.
Sample Data¶
This recipe connects to the live Certstream feed eliminating the need for sample data. However, below is a typical raw certificate update object for review.
"data": {
"cert_index": 160270422,
"cert_link": "https://nessie2023.ct.digicert.com/log/ct/v1/get-entries?start=160270422&end=160270422",
"leaf_cert": {
"all_domains": [
"*.nyarkowiz.online",
"nyarkowiz.online"
],
"extensions": {
"authorityInfoAccess": "CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der\nOCSP - URI:http://ocsp.pki.goog/s/gts1p5/fKV4K079ZKo\n",
"authorityKeyIdentifier": "keyid:D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8\n",
"basicConstraints": "CA:FALSE",
"certificatePolicies": "Policy: 1.3.6.1.4.1.11129.2.5.3\nPolicy: 2.23.140.1.2.1",
"crlDistributionPoints": "Full Name:\n URI:http://crls.pki.goog/gts1p5/oE9rr3G5TqE.crl",
"ctlPoisonByte": true,
"extendedKeyUsage": "TLS Web server authentication",
"keyUsage": "Digital Signature, Key Encipherment",
"subjectAltName": "DNS:nyarkowiz.online, DNS:*.nyarkowiz.online",
"subjectKeyIdentifier": "42:22:E3:A5:27:CB:93:B1:8F:C0:20:7C:CB:E6:11:ED:B3:A4:CB:BD"
},
"fingerprint": "B1:FE:F6:4C:D1:7E:A3:DB:A8:D9:92:EE:18:42:B7:1F:35:2F:75:68",
"issuer": {
"C": "US",
"CN": "GTS CA 1P5",
"L": null,
"O": "Google Trust Services LLC",
"OU": null,
"ST": null,
"aggregated": "/C=US/CN=GTS CA 1P5/O=Google Trust Services LLC",
"emailAddress": null
},
"not_after": 1679365412,
"not_before": 1671589413,
"serial_number": "201DF51E883B4B37139BBB17CAEACE15",
"signature_algorithm": "sha256, rsa",
"subject": {
"C": null,
"CN": "*.nyarkowiz.online",
"L": null,
"O": null,
"OU": null,
"ST": null,
"aggregated": "/CN=*.nyarkowiz.online",
"emailAddress": null
}
},
"seen": 1671638236.908937,
"source": {
"name": "DigiCert Nessie2023 Log",
"url": "https://nessie2023.ct.digicert.com/log/"
},
"update_type": "PrecertLogEntry"
},
"message_type": "certificate_update"
}
How it Works¶
The recipe is designed to rapidly load JSON objects into Quine producing as disconnected nodes. The ingest stream connects using a WebsocketSimpleStartupIngest
stream type and parsing $that
using by using a CypherJson
format.
INGEST-1 reads directly from the certstream web socket:
- type: WebsocketSimpleStartupIngest
url: wss://certstream.calidog.io/
format:
type: CypherJson
query: |-
CREATE ($that)
[
{
"type": "WebsocketSimpleStartupIngest",
"url": "wss://certstream.calidog.io/",
"format": {
"type": "CypherJson",
"query": "CREATE ($that)"
}
}
]
A standing query is configured to detect new nodes in the graph and then print the event to the console.
- pattern:
type: Cypher
query: MATCH (n) RETURN DISTINCT id(n) AS id
outputs:
log-new-certs:
type: CypherQuery
query: |-
MATCH (n)
WHERE id(n) = $that.data.id
RETURN n.data
andThen:
type: PrintToStandardOut
logMode: FastSampling
```yaml title="/api/v1/query/standing/STANDING-1" [ { "pattern": { "type": "Cypher", "query": "MATCH (n) RETURN DISTINCT id(n) AS id" }, "outputs": { "log-new-certs": { "type": "CypherQuery", "query": "MATCH (n)\nWHERE id(n) = $that.data.id\nRETURN n.data", "andThen": { "type": "PrintToStandardOut", "logMode": "FastSampling" } } } } ]
```
The recipe will stream events to the console similar to the sample event below.
1 |
|
Running the Recipe¶
❯ java -jar quine-1.8.2.jar -r certstream-firehose.yaml
Graph is ready
Running Recipe: Certstream Firehose
Running Standing Query STANDING-1
Running Ingest Stream INGEST-1
Quine web server available at http://localhost:8080