The purpose of this document is to provide examples of metadata that describe "file events" for x509 file objects. These file objects are commonly used in TLS handshakes, digital signatures, file encryption, and entity authentication for directory services.
{
"@timestamp": "blah",
"file": {
"mime_type": "application/x-x509-user-cert",
"hash": {
"md5": "1a64e9ddf8860c868ae2543b2b58626b",
"sha1": "4953961091dd7721964dd1159a5de1a9dee0f865",
"sha256": "32d4caf19071fd7f36613a308dd68f33d02c672af848f25eff976f6f99823933",
"ssdeep": "24:z98cUvCB1jP7NdTL5JcoOHnJgDWYwUJpJMVEDrfizalPcEVIbkJK01xG:z98cUqB1jDN15JfOHJgDLHJpJMVor9En"
},
"x509": {
"public_key_algorithm": "RSA",
"key_size": 2048,
"public_exponent": 65537,
"issuer": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
"not_after": 1589157500,
"not_before": 1581381500,
"serial_number": "273281868135789767083876279627762417593008",
"signature_algorithm": "SHA256-RSA",
"subject": "CN=rocknsm.io",
"version": 3,
"alternative_names": [
"rocknsm.io"
]
}
}
}Notes:
- Signature Algorithm should be normalized. Packetbeat uses the Golang crypto/x509 library name strings
Generated using OpenSSL 1.1.1.
openssl s_client -connect rocknsm.io:443 -servername rocknsm.io < /dev/null 2>/dev/null | openssl x509 -text
** Output **
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:23:1a:6d:4f:61:69:aa:c2:69:ef:be:29:0c:07:4c:ea:b0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Feb 11 00:38:20 2020 GMT
Not After : May 11 00:38:20 2020 GMT
Subject: CN = rocknsm.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ab:c7:1b:0c:ed:c6:01:f8:ea:a9:b3:cf:08:17:
4f:a2:cb:7c:34:c4:66:12:e6:ef:f3:98:17:79:c9:
65:ee:66:4c:1f:9a:92:7d:33:ee:07:fa:2e:15:62:
f7:b4:f3:1f:d5:4f:2e:b1:67:a8:49:42:bf:e3:cc:
9a:b7:30:46:c2:68:f5:28:a9:64:69:6f:4c:4b:64:
24:c9:dc:ed:46:9f:a4:1f:c2:ef:6f:36:d0:bc:69:
27:b8:e2:d6:18:70:40:2c:b4:f5:ee:8f:f7:0d:8c:
6e:03:92:e7:5d:d6:3e:bc:bb:c9:5b:28:10:a0:5a:
f6:37:f5:e1:9e:15:23:72:6e:8e:69:01:09:a4:8c:
a4:c9:d7:db:05:01:90:48:4b:90:20:8c:38:7a:0a:
60:74:79:18:26:30:8e:60:0b:17:b9:24:a0:80:df:
3f:14:00:d3:09:e7:34:47:35:63:7c:54:d2:a0:9d:
e1:57:d1:cb:13:d3:3c:30:24:97:8e:ea:34:00:9f:
cc:6c:0c:6a:f7:54:bc:5e:60:dc:46:31:c2:09:de:
d9:c3:e3:63:1e:8f:1c:c5:90:90:e8:da:86:be:7d:
f1:c3:1f:1a:86:69:9b:0b:e0:b2:0c:47:08:c8:92:
59:2b:66:2f:fa:a1:38:a1:2f:10:65:f6:97:fd:16:
87:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
63:4E:15:85:56:5A:A4:94:02:C2:16:42:A4:A5:97:9A:38:02:57:97
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:rocknsm.io
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
Timestamp : Feb 11 01:38:20.964 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:79:C5:EC:48:2D:86:2A:5B:2E:E9:18:20:
70:F0:AA:0F:D6:AC:0F:CF:DD:CE:A1:1D:4F:4C:3C:BB:
11:60:CC:BE:02:20:0C:40:E3:0A:E7:E4:E5:65:C3:FE:
BF:08:6B:74:C7:E3:B8:3D:FB:13:D5:72:6A:F6:36:E5:
32:67:5B:32:CD:2D
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
Timestamp : Feb 11 01:38:20.998 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:B4:75:4D:15:C5:7F:4D:AE:40:16:8F:
A8:51:F2:C1:3B:FD:43:2B:1B:8C:4C:48:A5:D6:A9:68:
8B:09:FA:86:F9:02:20:73:FB:89:A3:8A:15:FC:9B:E0:
B7:A6:05:D1:5A:FC:DF:60:DC:06:9A:EB:56:A2:75:A8:
FE:E4:10:43:81:7D:F5
Signature Algorithm: sha256WithRSAEncryption
07:3b:a7:25:6c:ee:c5:6d:4e:25:0a:32:de:d2:e7:ed:e4:b4:
57:c9:1f:9c:53:b3:0e:e9:59:65:bb:68:21:d2:16:f3:fc:91:
f1:02:46:2d:d8:bf:50:b1:ee:97:81:0f:19:90:d9:9a:03:2f:
70:55:72:f8:a1:ab:a2:fa:9b:8f:44:fd:2a:5b:67:f4:90:0c:
a1:80:13:30:c7:35:47:ad:43:97:e5:0a:1d:0b:cf:38:60:c6:
f5:58:54:c6:d4:b9:8c:9b:d9:ca:f2:80:cf:41:70:bd:8b:d3:
a8:d6:da:01:1c:88:87:a6:76:ba:ef:9e:79:2e:1e:2d:0e:90:
38:2e:45:fa:58:f0:55:04:aa:84:5c:a4:d3:39:19:d6:ae:98:
10:9b:75:33:13:41:2f:fd:f3:58:7c:a5:9d:f4:2e:5a:b3:61:
48:47:9f:c1:a9:71:b3:cf:b0:16:fd:84:04:9a:5c:61:2b:9c:
3c:e5:32:24:cc:0e:e2:c5:37:d1:f6:22:12:0b:0c:fa:24:07:
53:3a:c2:60:80:c5:59:87:5e:e4:c5:31:43:76:73:d8:fc:f6:
be:fe:55:84:57:6b:e6:7e:1e:a8:c5:49:c1:a9:b5:7c:e2:e0:
04:5d:05:f2:86:c9:b2:d6:59:67:0c:0d:2c:8b:22:48:85:ce:
cd:b2:3c:d5
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgISAyMabU9haarCae++KQwHTOqwMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAyMTEwMDM4MjBaFw0y
MDA1MTEwMDM4MjBaMBUxEzARBgNVBAMTCnJvY2tuc20uaW8wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCrxxsM7cYB+Oqps88IF0+iy3w0xGYS5u/zmBd5
yWXuZkwfmpJ9M+4H+i4VYve08x/VTy6xZ6hJQr/jzJq3MEbCaPUoqWRpb0xLZCTJ
3O1Gn6Qfwu9vNtC8aSe44tYYcEAstPXuj/cNjG4Dkudd1j68u8lbKBCgWvY39eGe
FSNybo5pAQmkjKTJ19sFAZBIS5AgjDh6CmB0eRgmMI5gCxe5JKCA3z8UANMJ5zRH
NWN8VNKgneFX0csT0zwwJJeO6jQAn8xsDGr3VLxeYNxGMcIJ3tnD42MejxzFkJDo
2oa+ffHDHxqGaZsL4LIMRwjIklkrZi/6oTihLxBl9pf9FoczAgMBAAGjggJeMIIC
WjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGNOFYVWWqSUAsIWQqSll5o4AleXMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAu
BggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
FQYDVR0RBA4wDIIKcm9ja25zbS5pbzBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AF6nc/nfVsDntTZIfdBJ4DJ6
kZoMhKESEoQYdZaBcUVYAAABcDHlrqQAAAQDAEYwRAIgecXsSC2GKlsu6RggcPCq
D9asD8/dzqEdT0w8uxFgzL4CIAxA4wrn5OVlw/6/CGt0x+O4PfsT1XJq9jblMmdb
Ms0tAHYAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFwMeWuxgAA
BAMARzBFAiEAtHVNFcV/Ta5AFo+oUfLBO/1DKxuMTEil1qloiwn6hvkCIHP7iaOK
Ffyb4LemBdFa/N9g3Aaa61aidaj+5BBDgX31MA0GCSqGSIb3DQEBCwUAA4IBAQAH
O6clbO7FbU4lCjLe0uft5LRXyR+cU7MO6Vllu2gh0hbz/JHxAkYt2L9Qse6XgQ8Z
kNmaAy9wVXL4oaui+puPRP0qW2f0kAyhgBMwxzVHrUOX5QodC884YMb1WFTG1LmM
m9nK8oDPQXC9i9Oo1toBHIiHpna67555Lh4tDpA4LkX6WPBVBKqEXKTTORnWrpgQ
m3UzE0Ev/fNYfKWd9C5as2FIR5/BqXGzz7AW/YQEmlxhK5w85TIkzA7ixTfR9iIS
Cwz6JAdTOsJggMVZh17kxTFDdnPY/Pa+/lWEV2vmfh6oxUnBqbV84uAEXQXyhsmy
1llnDA0siyJIhc7NsjzV
-----END CERTIFICATE-----
Zeek records x509 analysis in the x509.log. This log can be related to its original connection (if there was one) by relating the id field to one of the cert_chain_fuid fields in the ssl.log or by relating the same field to the fuid field in the files.log.
** x509.log **
{
"ts": 1582142617.366239,
"id": "FsDU1c40VByvE8b0m8",
"certificate_version": 3,
"certificate_serial": "03231A6D4F6169AAC269EFBE290C074CEAB0",
"certificate_subject": "CN=rocknsm.io",
"certificate_issuer": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US",
"certificate_not_valid_before": 1581381500,
"certificate_not_valid_after": 1589157500,
"certificate_key_alg": "rsaEncryption",
"certificate_sig_alg": "sha256WithRSAEncryption",
"certificate_key_type": "rsa",
"certificate_key_length": 2048,
"certificate_exponent": "65537",
"san_dns": [
"rocknsm.io"
],
"basic_constraints_ca": false
}** files.log **
{
"ts": 1582142617.366239,
"fuid": "FsDU1c40VByvE8b0m8",
"tx_hosts": [
"185.199.111.153"
],
"rx_hosts": [
"192.168.42.182"
],
"conn_uids": [
"Ce0UqR1tDFKZCsngH1"
],
"source": "SSL",
"depth": 0,
"analyzers": [
"MD5",
"SHA1",
"X509"
],
"mime_type": "application/x-x509-user-cert",
"duration": 0,
"local_orig": false,
"is_orig": false,
"seen_bytes": 1359,
"missing_bytes": 0,
"overflow_bytes": 0,
"timedout": false,
"md5": "1a64e9ddf8860c868ae2543b2b58626b",
"sha1": "4953961091dd7721964dd1159a5de1a9dee0f865"
}Suricata does not emit x509 events specifically, but offers some overlapping fields from TLS and RDP event types. Interestingly, Suricata does not decode the certificate in the RDP events, but only provides the serials.
** TLS event **
{
"timestamp": "2020-02-19T21:15:59.165829+0000",
"flow_id": 1768404022140842,
"in_iface": "eth0",
"event_type": "tls",
"src_ip": "10.128.0.15",
"src_port": 53618,
"dest_ip": "185.199.108.153",
"dest_port": 443,
"proto": "TCP",
"metadata": {
"flowbits": [
"FB180732_0",
"FB346039_0",
"FB709724_",
"FB332502_"
]
},
"community_id": "1:0JazoyLMPHyhsRFYqnxjWfcZlD4=",
"tls": {
"subject": "CN=rocknsm.io",
"issuerdn": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
"serial": "03:23:1A:6D:4F:61:69:AA:C2:69:EF:BE:29:0C:07:4C:EA:B0",
"fingerprint": "49:53:96:10:91:dd:77:21:96:4d:d1:15:9a:5d:e1:a9:de:e0:f8:65",
"sni": "rocknsm.io",
"version": "TLS 1.2",
"notbefore": "2020-02-11T00:38:20",
"notafter": "2020-05-11T00:38:20",
"ja3": {
"hash": "40adfd923eb82b89d8836ba37a19bca1",
"string": "771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2"
},
"ja3s": {
"hash": "098e26e2609212ac1bfac552fbe04127",
"string": "771,49199,65281-0-11-35-23"
}
}
}** RDP event **
{
"timestamp": "2020-02-19T21:25:56.803767+0000",
"flow_id": 1238976327609544,
"in_iface": "eth0",
"event_type": "rdp",
"src_ip": "212.92.106.146",
"src_port": 64570,
"dest_ip": "10.128.0.12",
"dest_port": 3389,
"proto": "TCP",
"rdp": {
"tx_id": 2,
"event_type": "tls_handshake",
"x509_serials": [
"6369a73c262d96a749ed5eac64da12e9"
]
}
}Similar to Suricata, Packetbeat does not emit x509 file events specifically, but it does offer a very detailed analysis of the x509 objects.
{
"@timestamp": "2020-02-19T21:36:13.509Z",
"client": {
"ip": "10.128.0.15",
"port": 57632
},
"network": {
"type": "ipv4",
"transport": "tcp",
"protocol": "tls",
"community_id": "1:HpASAvyqUdLAsAXBuaU6ATI1pDo="
},
"server": {
"domain": "rocknsm.io",
"ip": "185.199.109.153",
"port": 443
},
"status": "OK",
"host": {
"id": "b97c1797f883eb5f3d72134d451d0384",
"containerized": false,
"hostname": "rock01",
"architecture": "x86_64",
"name": "rock01",
"os": {
"kernel": "3.10.0-1062.4.3.el7.x86_64",
"codename": "Core",
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux"
}
},
"agent": {
"type": "packetbeat",
"ephemeral_id": "cc7e340d-332c-4c17-b904-987526ef12af",
"hostname": "rock01",
"id": "e9258ca9-ba0d-4c4b-b182-0c1b58f8ee63",
"version": "7.6.0"
},
"cloud": {
"provider": "gcp",
"instance": {
"name": "rock01",
"id": "6348367930943477095"
},
"machine": {
"type": "n2-standard-8"
},
"availability_zone": "us-central1-a",
"project": {
"id": "elastic-siem"
}
},
"tls": {
"detailed": {
"version": "TLS 1.2",
"client_hello": {
"session_id": "f070e379dc1720c801b32eed6018699ef1f207237ffff128eaab2c1e5bf6b400",
"supported_compression_methods": [
"NULL"
],
"extensions": {
"supported_groups": [
"x25519",
"secp256r1",
"x448",
"secp521r1",
"secp384r1"
],
"session_ticket": "",
"signature_algorithms": [
"ecdsa_secp256r1_sha256",
"ecdsa_secp384r1_sha384",
"ecdsa_secp521r1_sha512",
"ed25519",
"ed448",
"(unknown:0x0809)",
"(unknown:0x080a)",
"(unknown:0x080b)",
"rsa_pss_sha256",
"rsa_pss_sha384",
"rsa_pss_sha512",
"rsa_pkcs1_sha256",
"rsa_pkcs1_sha384",
"rsa_pkcs1_sha512",
"(unknown:0x0303)",
"ecdsa_sha1",
"(unknown:0x0301)",
"rsa_pkcs1_sha1",
"(unknown:0x0302)",
"(unknown:0x0202)",
"(unknown:0x0402)",
"(unknown:0x0502)",
"(unknown:0x0602)"
],
"supported_versions": [
"TLS 1.3",
"TLS 1.2",
"TLS 1.1",
"TLS 1.0"
],
"_unparsed_": [
"22",
"23",
"45",
"51"
],
"server_name_indication": [
"rocknsm.io"
],
"ec_points_formats": [
"uncompressed",
"ansiX962_compressed_prime",
"ansiX962_compressed_char2"
]
},
"version": "3.3"
},
"server_hello": {
"extensions": {
"session_ticket": "",
"_unparsed_": [
"renegotiation_info",
"server_name_indication",
"23"
],
"ec_points_formats": [
"uncompressed",
"ansiX962_compressed_prime",
"ansiX962_compressed_char2"
]
},
"version": "3.3",
"selected_compression_method": "NULL"
},
"server_certificate": {
"issuer": {
"country": "US",
"organization": "Let's Encrypt",
"common_name": "Let's Encrypt Authority X3"
},
"version": 3,
"serial_number": "273281868135789767083876279627762417593008",
"public_key_size": 2048,
"public_key_algorithm": "RSA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": "rocknsm.io"
},
"not_before": "2020-02-11T00:38:20.000Z",
"not_after": "2020-05-11T00:38:20.000Z",
"alternative_names": [
"rocknsm.io"
]
},
"server_certificate_chain": [
{
"not_before": "2016-03-17T16:40:46.000Z",
"signature_algorithm": "SHA256-RSA",
"version": 3,
"serial_number": "13298795840390663119752826058995181320",
"public_key_algorithm": "RSA",
"issuer": {
"common_name": "DST Root CA X3",
"organization": "Digital Signature Trust Co."
},
"subject": {
"country": "US",
"organization": "Let's Encrypt",
"common_name": "Let's Encrypt Authority X3"
},
"not_after": "2021-03-17T16:40:46.000Z",
"public_key_size": 2048
}
],
"client_certificate_requested": false
},
"resumed": false,
"version": "1.2",
"version_protocol": "tls",
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"established": true,
"client": {
"supported_ciphers": [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
],
"ja3": "40adfd923eb82b89d8836ba37a19bca1",
"server_name": "rocknsm.io"
},
"server": {
"not_after": "2020-05-11T00:38:20.000Z",
"hash": {
"sha1": "4953961091DD7721964DD1159A5DE1A9DEE0F865"
},
"subject": "CN=rocknsm.io",
"issuer": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US",
"not_before": "2020-02-11T00:38:20.000Z"
}
},
"source": {
"ip": "10.128.0.15",
"port": 57632
},
"event": {
"category": "network_traffic",
"dataset": "tls",
"duration": 26663000,
"start": "2020-02-19T21:36:13.509Z",
"end": "2020-02-19T21:36:13.536Z",
"kind": "event"
},
"type": "tls",
"destination": {
"ip": "185.199.109.153",
"port": 443,
"domain": "rocknsm.io"
},
"ecs": {
"version": "1.4.0"
}
}{
"file": {
"depth": 0,
"flavors": {
"mime": [
"application/octet-stream"
],
"yara": [
"x509_der_file"
]
},
"scanners": [
"ScanEntropy",
"ScanHash",
"ScanHeader",
"ScanX509",
"ScanYara"
],
"size": 1359,
"tree": {
"node": "68775501-b2e8-4d86-8f69-d2a0d1636b04"
}
},
"request": {
"attributes": {
"filename": "/Users/dcode/Projects/strelka/data/2020-02-19/rocknsm.crt"
},
"client": "go-fileshot",
"id": "91fba852-af3c-4427-8d2a-ebdd5ee18e08",
"source": "eBook.local",
"time": 1582141863
},
"scan": {
"entropy": {
"elapsed": 5.4e-05,
"entropy": 7.368475034496057
},
"hash": {
"elapsed": 9e-05,
"md5": "1a64e9ddf8860c868ae2543b2b58626b",
"sha1": "4953961091dd7721964dd1159a5de1a9dee0f865",
"sha256": "32d4caf19071fd7f36613a308dd68f33d02c672af848f25eff976f6f99823933",
"ssdeep": "24:z98cUvCB1jP7NdTL5JcoOHnJgDWYwUJpJMVEDrfizalPcEVIbkJK01xG:z98cUqB1jDN15JfOHJgDLHJpJMVor9En"
},
"header": {
"elapsed": 6.1e-05,
"header": "0�\u0005K0�\u00043�\u0003\u0002\u0001\u0002\u0002\u0012\u0003#\u001amOai��i�)\f\u0007L�0\r\u0006\t*�H��\r\u0001\u0001\u000b\u0005\u00000J"
},
"x509": {
"elapsed": 0.002389,
"expired": false,
"fingerprint": "1A64E9DDF8860C868AE2543B2B58626B",
"issuer": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
"not_after": 1589157500,
"not_before": 1581381500,
"serial_number": "273281868135789767083876279627762417593008",
"subject": "CN=rocknsm.io",
"version": 2
},
"yara": {
"elapsed": 8.2e-05
}
}
}