SSL Framework Guide

v.1.5.2
Content
Release Notes ...................................................................................................................... 3
SOC Prime SSL Framework Solution Overview ................................................................ 4
How SSL Framework works ............................................................................................... 4
Installing and Configuring SSL Framework ...................................................................... 6
Requirements ..................................................................................................................... 6
Preparing to Setup ............................................................................................................. 6
SSL Framework Setup ....................................................................................................... 6
Uninstalling SSL Framework .............................................................................................. 8
Configuring SIEM System ................................................................................................... 9
Use cases for SIEM in SSL Framework ............................................................................. 9
Configuring HP ArcSight .................................................................................................... 9
Configuring IBM QRadar .................................................................................................. 11
Configuring Splunk ........................................................................................................... 12
Installing and Configuring Python ................................................................................... 15
Running SSL Framework Manually .................................................................................. 16

Power On Security 2
Chapter 1
Release Notes
Version 1.5.2
Added Proxy Configuration to Setup page in Splunk.
Now proxy credential in Splunk are stored in secure system storage.
Version 1.5.0
Updated content for SIEM.
Improved stability.
Fixed problem processing Unicode.
Version 1.1.0
Added proxy settings.
Added option to send report events via Syslog.
Added notifications about scan problems in events.
Updated Dashboard with Scan Errors panel.
New use case added: New web-server added to Domain.
Version 1.0.2
Updated Dashboard in QRadar Content.
Updated Dashboard in ArcSight Content.
Updated Guide documentation.
Fixed: minor bugs.
Version 1.0.1
Initial version.

Power On Security 3
Chapter 2
SOC Prime SSL Framework Solution Overview
SOC Prime SSL Framework combines the capabilities of Qualys SSL Labs and SIEM
systems. As a result, this integration enables automatic tracking of status of SSL certificates
and web servers security in the corporate domain.

How SSL Framework works

Scheme of interaction:

SOC Prime SSL Framework runs the daily analysis of your corporate web server by Qualys
SSL Labs and produces reports using Qualys SSL Labs API in the following formats:
CEF Common Event Format for ArcSight CEF Folder Follower Connector (for
correlation in HP ArcSight);
LEEF Log Event Extended Format for IBM QRadar Universal LEEF DSM (for
correlation in IBM QRadar);
KeyValue logs format for Splunk.

Using the capabilities of SIEM systems (integration commands, plugins etc.) you will be able
to view a full report on Qualys SSL Labs web site from the console of your SIEM.

Power On Security 4
SSL Framework for HP ArcSight consists of the script file and content package for
ArcSight. You will need to install the SSL Framework on Windows or Linux server, install the
ArcSight Common Event Format Multiple File Connector for file or ArcSight SmartConnector
Syslog Daemon and import the content package to the ArcSight Manager (ESM, Express).
To install SSL Framework see Installing SSL Framework. For importing and configuring
content package see Configuring HP ArcSight.

SSL Framework for IBM QRadar consists of the script file and content package for
QRadar. You will need to install the SSL Framework on Windows or Linux server, configure
Universal LEEF DSM to read files or Syslog and import content package to QRadar. To install
SSL Framework see Installing SSL Framework. For importing and configuring content
package see Configuring IBM QRadar.

SSL Framework for Splunk an application developed specifically for Splunk. The
application includes all necessary tools. If you are using Splunk you do not have to install
the script and configuration files. For configuring SSL Framework for Splunk see
Configuring Splunk.

Power On Security 5
Chapter 3
Installing and Configuring SSL Framework
This chapter contains information about installing and configuring SSL Framework.

Requirements
Operation System Windows 7, Server 2008 or higher, Red Hat 6.2 or higher, CentOS 6.2
or higher. SSL Framework can be installed on any other operating system but is not
guaranteed to work correctly.
Network access to api.ssllabs.com port 443.
For Linux servers Python version 2.6.6 or higher, except versions 3.x.x, is required. For
sending results via Syslog TCP protocol Python 2.7.x is required.
Libraries for Python: requests, argparse. For instructions on verification see Appendix A
Installing and Configuring Python.
For installing Python and libraries you will need access to https://www.python.org and
https://bootstrap.pypa.io.

Preparing to Setup
We recommend you to setup SSL Framework on a server that is in a network segment with
an access to a SIEM system.
Either the output of SSL Framework is sent to SIEM via syslog or files in SIEMs format are
placed in a directory from which the SIEM system reads them. The appropriate location of
directory depends on your SIEM system and collecting method (remote or local).
For Splunk there is a native application that contains all the necessary modules and installs
directly on Splunk.

SSL Framework Setup

Windows:
1. Verify that the server on which you want to install SSL Framework matches
requirements.
2. Download soc-prime-ssl-framework-windows-v.x.x.x.zip from
socprime.com.
3. Unzip and run ssl-framework-windows-v.x.x.x.exe.
4. In the Welcome window click Next.
5. Read the License Agreement and accept it.
6. Choose folder to install.
7. Choose export format: CEF, LEEF or Splunk.
8. Choose output method Output to file or Send via Syslog. If you chose
Output to file go to Step 9. If you chose Send via Syslog go to Step 10.
9. Choose folder for output. Go to Step 11.

Power On Security 6
 10. Choose protocol TCP or UDP and specify hostname or IP Address of
destination and port.
11. If needed choose option Use proxy-server and specify hostname or IP
Address of proxy-server, port and user/password if needed (basic authentication).
12. Set up frequency and starting time of the task in the format: Run every N days
at HH:MM.
Possible values N from 1 to 365; Hour from 0 to 23, Minutes from 0 to 59.
13. Click Install.
14. After installation is complete click Finish (do not uncheck the "Edit domain list
file"). File domainlist.txt will open in a text editor. Type in a file list of web servers
each in a new line. Save the file and close the text editor.
Linux:
1. Verify that the server on which you want to install SSL Framework matches
requirements.
2. Download soc-prime-ssl-framework-linux-v.x.x.x.tar.tgz from
socprime.com.
3. Untar archive:
tar -xvf ssl-framework-v.x.x.x.tar.tgz
4. Change directory to ssl-framework-v.x.x.x:
cd ssl-framework-v.x.x.x
5. Run script ssl-framework-install.py:
python ssl-framework-install.py
6. Press Enter to start setup.
7. Choose export format: CEF, LEEF or Splunk.
8. Choose output method File or Syslog. If you chose File go to point 9. If
you chose Syslog go to point 10.
9. Enter absolute path to export results. Go to Step 11.
10. Choose protocol TCP or UDP and specify hostname or IP Address of
destination and port.
11. If proxy is needed specify hostname or IP Address of proxy-server, port and
user/password if needed (basic authentication). If you do not use proxy leave all fields
blank.
12. Enter domains list coma separated.
13. Set up frequency and starting time of the task in the format: Run every N days
at HH:MM.
Possible values N from 1 to 365; Hour from 0 to 23, Minutes from 0 to 59.
14. Press Enter to finish setup.
15. Restart crontab service with command:
sudo service crond restart

Power On Security 7
After a successful installation script ssl-framework-report.py will start at the nearest
scheduled time. After the process is complete the results will appear in the folder which was
configured during the installation (default reports) in a specified format or will be send to
destination via syslog.
Running manually
You can run the script manually. For details about manual script operation see Appendix B
Running SSL Framework manually.

Uninstalling SSL Framework

Windows:
To uninstall SSL Framework, go to the directory where you have installed it and run
unins000.exe. After confirming the removal SSL Framework will be completely removed from
your server.
Linux:
To remove SSL Framework, log on to the server with a user under which SSL Framework
was installed. Remove the task from crontab with the following command in command line:
crontab -e
Save crontab file and restart crontab service. Remove folder with SSL Framework files.

Power On Security 8
Chapter 4
Configuring SIEM System
This chapter contains information about configuring SIEM system in order to work with SSL
Framework.

SSL Framework version 1.5.0 supports HP ArcSight Express CORE 4.0, ESM 6.0 or higher;
IBM Qradar 7.2.3 or higher; Splunk 6.3.1 or higher.

Use cases for SIEM in SSL Framework

Use case Description

Certificate expires in 60, 30, Automatic monitoring and comparing the expiration date of each
7 and 1 day certificate to the current date. Email notification that the certificate
expires in 60, 30, 7 and 1 days.

Certificate expired Automatic monitoring and comparing the expiration date of each
certificate to the current date. Email notification that the certificate
has expired.

Certificate was revoked Automatic monitoring status of each certificate. Email notification that
the certificate has been revoked.

Automatic monitoring of the overall rating of each web server and

Overall rating changed comparing with the previous rating. Email notification that the
certificates overall rating has changed.

New Domain or Host added Automatic monitoring if a new domain or web server in domain was
added to SSL Framework. Email notification.

Host was not scanned for 2 Automatic monitoring if host was not scanned for two days by Qualys
days SSL Labs. Email notification.

Configuring HP ArcSight
1. Depending on what method of export scan results you
chose while installing SSL Framework, install ArcSight
Common Event Format Multiple File Connector on
server with SSL Framework and configure it with ArcSight
instructions to monitor folder with SSL Framework results
(default subfolder reports in folder with SSL Framework)
or ArcSight SmartConnector Syslog Daemon. Setup
ArcSight Manager as Destination on connector.
Recommended parameters for file reader connector
agent.properties:
agents[0].foldertable[0].mode=DeleteFile
agents[0].foldertable[0].processingmode=batch
agents[0].foldertable[0].startatend=true
agents[0].foldertable[0].usenonlockingwindowsfilereader=false

Power On Security 9
2. Download content package soc-prime-ssl-framework-content-hp-arcsight-v.x.x.x.zip
from socprime.com.
Unzip and import package SOC_Prime_SSL_Framework_v.x.x.x.arb to ArcSight Manager
with ArcSight Console.

3. Enable rules. Open in ArcSight Console in Navigator

Rule group SOC Prime Solutions / SSL Framework
and enable (Enable Rule) all rules. In right click menu on
group SSL Framework choose Deploy RealTime
Rule(s).

4. Notifications. By default in group of rules there is an

action Send Notification to group SOC Prime
Solutions. You can create New Destination in this
group or change notification group in every rule to what
you need.
Along with content package you can find email
templates in downloaded zip. Copy it to server with ArcSight Manager (ESM / Express) to
/opt/arcsight/manager/config/notification. Edit Email.vm according to ArcSight
recommendations.
5. In Active Channel SOC Prime Solutions / SSL Framework / SSL Labs Events in right
click menu from any SSL
Framework event you can
open full report of server
on www.ssllabs.com using
Integration Command
SSL Labs Detailed
Report.

6. Successful configuration
of SSL Framework and content in ArcSight should make Dashboard SSL Labs Overview
look like this:

Power On Security 10
Configuring IBM QRadar
1. Create Universal LEEF DSM for reading files from folder with SSL Framework result files
(default subfolder reports in folder with SSL Framework). You can set file format in regex ssl-
framework-report-\d+-\d+-\d+-\d+-\d+-\d+.\d+.leef. Or Universal LEEF DSM Syslog,
depending on what method of export scan results you chose while installing SSL Framework.
Once you see events SSL Framework in QRadar Console (open Log Source with filter Log
Source Type is Universal LEEF) open one of the events to see details and press Map Event.
Choose High-Level Category System, Low-Level Category Information, Name INFO.
(QID 29500009 may be different depending on QRadar version). Press Ok. All subsequent
events will be mapped to this QID.
2. Download content package soc-prime-ssl-framework-content-ibm-qradar-
v.x.x.x.tar.gz from socprime.com. Copy to server with Qradar archive soc-prime-ssl-
framework-content-ibm-qradar-v.x.x.x-ContentExport-xxxxxxxxxxxxxx.tar.gz
Import content to QRadar with the next command:
/opt/qradar/bin/contentManagement.pl -a import -f /PATH-TO/soc-prime-ssl-
framework-content-ibm-qradar-v.x.x.x-ContentExport-xxxxxxxxxxxxxx.tar.gz

3. Enable rules. In
QRadar Console in
Offenses / Rules choose
group SOC Prime
Solutions / SSL
Framework. Enable all
rules Actions /
Enable/Disable.

4. Notifications. Edit each rule and add Email action in Rule Response.

Power On Security 11
5. In Log Activity in right click
menu from any SSL
Framework event on field
SLF_Domain you can open
full report of server on
www.ssllabs.com using
plugin SSL Labs Full
Report.
To make a plugin work create (or add lines to) file
/opt/qradar/conf/arielRightClick.properties:
pluginActions=SSLLabsReport
### SSL Framework Report
SSLLabsReport.arielProperty=slf_domain
SSLLabsReport.text=SSL Labs Full Report
SSLLabsReport.url=https://www.ssllabs.com/ssltest/analyze.html?d=$slf_domain$&hideResults=on

Restart web server in console the Admin tab / Advanced / Restart Web Server.
6. Successful configuration of SSL Framework and content in QRadar should make
Dashboard SSL Framework look like this:

There is no use case Host was not scanned for 2 days for QRadar.

Configuring Splunk
1. Verify that the server with Splunk where you want to install SSL Framework App matches
Requirements. Verify that all necessary python libraries are installed. For instructions on
verification see Appendix A Installing and Configuring Python).
2. Download zip file with App soc-prime-ssl-framework-content-splunk-v.x.x.x.zip from
socprime.com.
3. Unzip file. In Splunk Console go to Apps / Manage Apps and press Install app from file.
Choose file from zip SOCPrimeSSLFramework.spl and press Upload. After successful
upload you should Restart Splunk.

Power On Security 12
 4. After restarting Splunk you
should configure SSL
Framework App. Choose SSL
Framework App from the list of
Apps and press Continue to
app setup page in the opened
window.
5. Type in a field Domains List
coma separated all your
corporate domains that are using
SSL certificate (with https://).

6. Type in a field E-mail address for

notifications your email(s) for notifications
(coma separated).
7. Press Save.
8. If proxy-server is required please select
option Enable Proxy and set proxy host and port.
If authentication is need select Enable proxy
authentication and set username and password.
If you need to set up proxy once again, you
should clear file

$SPLUNK_HOME/etc/apps/SOCPrimeSSLFramework/local/passwords.conf and restart

Splunk. Only after that you will be able to setup proxy again.

By default, web servers are checked daily at 4 am. Script is scheduled to run at that time. You
can change schedule time in Data Inputs / Scripts /
$SPLUNK_HOME/etc/apps/SOCPrimeSSLFramework/bin/ssl-framework-report.py. Alerts
configured as Saved Searches and are scheduled daily at 9 am. You can change schedule
time in Alerts / Edit / Edit Alert Type and Trigger.
Successful configuring of SSL Framework and content in Splunk should make Dashboard
SSL Framework look like this:

Power On Security 13
Power On Security 14
Appendix A
Installing and Configuring Python
Windows:
The installation file ssl-framework-windows-v.x.x.x.exe contains necessary version of
Python and libraries.
Linux
1. Check if a required Python version is installed (in command line):
python -V
If required Python version is installed go to point 3. If not download Python here
https://www.python.org/downloads/source/

2. Install Python using this guide https://docs.python.org/2/using/unix.html

3. Check if you have pip on the server:

pip -V
4. If there is no pip install using this guide https://pip.pypa.io/en/latest/installing.html:
- download get-pip.py from https://bootstrap.pypa.io/get-pip.py
wget https://bootstrap.pypa.io/get-pip.py
- install pip:
python get-pip.py
5. Check necessary libraries with command:
pip list
If libraries argparse and requests are missing install them:
pip install argparse
pip install requests

Power On Security 15
Appendix B
Running SSL Framework Manually
Linux
To view all script execution options run the script from the command line with a parameter -h:
python ssl-report.py -h
Result:
usage: ssl-report.py [-h] [-d DOMAIN] [-c CONFIG]
optional arguments:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Scan specified domain
-c CONFIG, --config CONFIG
Full path to config file

To check a single server manually you should run the following command:
python ssl-report.py -d yourdomain.com
To check more than one server manually you should create a configuration file ssl-report.cfg
and file domainlist.txt with a list of servers:
ssl-report.cfg:
[main]
waitresulttimeout = 60
maxassessmentstimeout = 60
domainslistfile = %PATH TO FILE%/domainlist.txt
maxcacheage = 1
exportformat = cef
reportspath = %PATH TO FOLDER%/reports

connectmaxretries = 10
connectretrytimeout = 60

#[syslog]
#protocol = tcp
#host = 10.10.10.10
#port = 514

#[proxy]
#host = proxyhost
#port = 3128
#login = user
#password = password

domainlist.txt
yourdomain1.com
yourdomain2.com
yourdomain3.com

and run the script with the following:

python ssl-report.py - %PATH TO FILE%/ssl-report.cfg

Power On Security 16
Windows
You can run ssl-framework-report.exe manually with administrative privileges. It will run in
a background with configuration mentioned in a configuration file ssl-report.cfg and file with
list of servers domainlist.txt:
ssl-report.cfg:
[main]
waitresulttimeout = 60
maxassessmentstimeout = 60
domainslistfile = %PATH TO FILE%/domainlist.txt
maxcacheage = 1
exportformat = cef
reportspath = %PATH TO FOLDER%/reports

connectmaxretries = 10
connectretrytimeout = 60

#[syslog]
#protocol = tcp
#host = 10.10.10.10
#port = 514

#[proxy]
#host = proxyhost
#port = 3128
#login = user
#password = password

domainlist.txt
yourdomain1.com
yourdomain2.com
yourdomain3.com

Power On Security 17