Carbon Black Cloud: How to confirm content filtering or SSL Inspection is involved with Communication.
Article ID: 286818
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How to confirm content filtering or SSL Inspection is involved with Communication
Environment
- Carbon Black Cloud Sensor: All Versions
- WireShark
Resolution
- Open your PCAP.
- Locate communication between client and CBC, use the Configuration Guide link from the firewall port KB below to help determine the CBC sites.
- tls.handshake && tls.handshake.extensions_server_name == "dev-prod05.conferdeploy.net"
- tls.handshake && tls.handshake.extensions_server_name == "updates2.cdc.carbonblack.io"
- tls.handshake && tls.handshake.extensions_server_name == "content.carbonblack.io"
- Use 'Follow Stream' 'TCP' in the Conversations dialog to display that conversation. Dismiss the 'raw data' display that pops up; we won't need that for what we're doing. "Analyze\Follow\TCP Stream"
- Highlight the 'Certificate' packet in the top pane of the display in the Info column.
- Review the Transport Layer Security section and look for highlighted data, if it is highlighted it means there is an error you can drill into.
- To see the signer of the Certificate drill down into Transport Layer Security \Handshake Protocol\Certificates\Certificate:...\signedCertificate\Issuer
- Review the content for the RDNSequence to see if it matches expectations.
CBC Sites Certs Cert URL's Prod GoDaddy http://ocsp.godaddy.com
http://crl.godaddy.comUpdates DigiCert http://crl3.digicert.com
http://crl4.digicert.com
- Review the content for the RDNSequence to see if it matches expectations.
Additional Information
Firewalls and proxies can both do SSL Inspection, when a device intercepts our packet and provides its own it may interfere with the validation of or product, manifest or signature files.
Feedback
Yes
No
Powered by
