Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] SSL and Snort
609 views
Skip to first unread message
PS
Feb 6, 2012, 11:51:32 AM2/6/12
to
Hello,
Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
Thanks!
Victor Pineiro
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
Thanks!
Victor Pineiro
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Richard Bejtlich
Feb 6, 2012, 12:04:42 PM2/6/12
to
This is a popular question...
http://resources.infosecinstitute.com/ssl-decryption/
Sincerely,
Richard
http://resources.infosecinstitute.com/ssl-decryption/
Sincerely,
Richard
PS
Feb 6, 2012, 1:53:58 PM2/6/12
to
Do you have personal experience with viewssld?
I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed?
Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations?
Thank you!
I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed?
Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations?
Thank you!
Will Metcalf
Feb 6, 2012, 2:22:07 PM2/6/12
to
If you are using sslbump/dynamic ssl inside of squid nothing is
preventing you from using the .pem files along with the index file
ssl_crtd produces for use in wireshark etc. You should adjust the size
of the DB accordingly. This would allow you to decrypt traffic going
to from/your proxy if you have rotating packet capture. That said I
don't know of anything that does exactly what you are talking about.
Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
with sslbump/dynamic ssl.
http://www.e-cap.org/Downloads
Regards,
Will
preventing you from using the .pem files along with the index file
ssl_crtd produces for use in wireshark etc. You should adjust the size
of the DB accordingly. This would allow you to decrypt traffic going
to from/your proxy if you have rotating packet capture. That said I
don't know of anything that does exactly what you are talking about.
Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
with sslbump/dynamic ssl.
http://www.e-cap.org/Downloads
Regards,
Will
PS
Feb 6, 2012, 2:49:18 PM2/6/12
to
I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
I will try the wireshark approach again and then go from there. Thank you!
As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
I will try the wireshark approach again and then go from there. Thank you!
Edward Fjellskål
Feb 6, 2012, 2:55:32 PM2/6/12
to
Hi,
I have found this:
http://gnucitizen.googlecode.com/svn/trunk/
httpproxy.py seems to do some of what you want, but
there is no easy way of sending the data to snort.
(you can see the traffic in console)
Maybe someone with a little python skill could split
the code up a bit and send the packets in cleartext
over a local loop interface with snort on it or something.
That would help the community a bit, but I dont know
about performance thought :/
Hope this inspires someone :)
E
I have found this:
http://gnucitizen.googlecode.com/svn/trunk/
httpproxy.py seems to do some of what you want, but
there is no easy way of sending the data to snort.
(you can see the traffic in console)
Maybe someone with a little python skill could split
the code up a bit and send the packets in cleartext
over a local loop interface with snort on it or something.
That would help the community a bit, but I dont know
about performance thought :/
Hope this inspires someone :)
E
Doug Burks
Feb 6, 2012, 3:04:59 PM2/6/12
to
Is your .pem file PKCS#8 format by chance? If so, you may need to
convert it to PKCS#1 format as shown here:
http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
Regards,
Doug
On Mon, Feb 6, 2012 at 2:49 PM, PS <packe...@gmail.com> wrote:
> I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
>
> As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
>
> I will try the wireshark approach again and then go from there. Thank you!
>
> On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:
>
>> If you are using sslbump/dynamic ssl inside of squid nothing is
>> preventing you from using the .pem files along with the index file
>> ssl_crtd produces for use in wireshark etc. You should adjust the size
>> of the DB accordingly. This would allow you to decrypt traffic going
>> to from/your proxy if you have rotating packet capture. That said I
>> don't know of anything that does exactly what you are talking about.
>> Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
>> with sslbump/dynamic ssl.
>>
>> http://www.e-cap.org/Downloads
>>
>> Regards,
>>
>> Will
>>
--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
convert it to PKCS#1 format as shown here:
http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
Regards,
Doug
On Mon, Feb 6, 2012 at 2:49 PM, PS <packe...@gmail.com> wrote:
> I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
>
> As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
>
> I will try the wireshark approach again and then go from there. Thank you!
>
> On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:
>
>> If you are using sslbump/dynamic ssl inside of squid nothing is
>> preventing you from using the .pem files along with the index file
>> ssl_crtd produces for use in wireshark etc. You should adjust the size
>> of the DB accordingly. This would allow you to decrypt traffic going
>> to from/your proxy if you have rotating packet capture. That said I
>> don't know of anything that does exactly what you are talking about.
>> Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
>> with sslbump/dynamic ssl.
>>
>> http://www.e-cap.org/Downloads
>>
>> Regards,
>>
>> Will
>>
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Jim Hranicky
Feb 6, 2012, 3:14:41 PM2/6/12
to
On Mon, 6 Feb 2012 11:51:32 -0500
http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015186.html
Seems like it should work for a regular linux-based router, though
getting the info to snort would probably take a little work.
--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida
PS <packe...@gmail.com> wrote:
> Hello,
>
> Does anyone know of a free/opensource tool which could decrypt ssl
> and make accessible to snort?
>
> Something like a mitm proxy with the capability to pass the
> unencrypted packets over to snort for analysis.
>
> Thanks!
>
> Victor Pineiro
Someone sent this to the Emerging Threats list a while back:
> Hello,
>
> Does anyone know of a free/opensource tool which could decrypt ssl
> and make accessible to snort?
>
> Something like a mitm proxy with the capability to pass the
> unencrypted packets over to snort for analysis.
>
> Thanks!
>
> Victor Pineiro
http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015186.html
Seems like it should work for a regular linux-based router, though
getting the info to snort would probably take a little work.
--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida
PS
Feb 6, 2012, 3:52:52 PM2/6/12
to
Thanks Doug!
I will follow those steps to see if I can get it to work.
When I first tried it I had the same problem due to the key file being in a PKCS#8 format. I converted it to PKCS#1 format and tried again and saw that it was loaded into Wireshark. I retried to see if the traffic was decrypted but unfortunately it wasn't. Did the key file that was being used contain both the private key and the certificate of the server or just the private key?
I will follow those steps to see if I can get it to work.
When I first tried it I had the same problem due to the key file being in a PKCS#8 format. I converted it to PKCS#1 format and tried again and saw that it was loaded into Wireshark. I retried to see if the traffic was decrypted but unfortunately it wasn't. Did the key file that was being used contain both the private key and the certificate of the server or just the private key?
>>>>> On Mon, Feb 6, 2012 at 11:51 AM, PS <packe...@gmail.com> wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
>>>>>>
>>>>>> Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Victor Pineiro
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
>>>>>>
>>>>>> Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Victor Pineiro
>>>>>>
>>>>>>
> --
> Doug Burks
> SANS GSE and Community Instructor
> Security Onion | http://securityonion.blogspot.com
> President, Greater Augusta ISSA | http://augusta.issa.org
> Doug Burks
> SANS GSE and Community Instructor
> Security Onion | http://securityonion.blogspot.com
> President, Greater Augusta ISSA | http://augusta.issa.org
PS
Feb 6, 2012, 3:56:38 PM2/6/12
to
I will also take a look at this. Thanks!
On Feb 6, 2012, at 3:14 PM, Jim Hranicky wrote:
> On Mon, 6 Feb 2012 11:51:32 -0500
On Feb 6, 2012, at 3:14 PM, Jim Hranicky wrote:
> On Mon, 6 Feb 2012 11:51:32 -0500
> PS <packe...@gmail.com> wrote:
>
>> Hello,
>>
>> Does anyone know of a free/opensource tool which could decrypt ssl
>> and make accessible to snort?
>>
>> Something like a mitm proxy with the capability to pass the
>> unencrypted packets over to snort for analysis.
>>
>> Thanks!
>>
>> Victor Pineiro
>
>
>> Hello,
>>
>> Does anyone know of a free/opensource tool which could decrypt ssl
>> and make accessible to snort?
>>
>> Something like a mitm proxy with the capability to pass the
>> unencrypted packets over to snort for analysis.
>>
>> Thanks!
>>
>> Victor Pineiro
>
> Someone sent this to the Emerging Threats list a while back:
>
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015186.html
>
> Seems like it should work for a regular linux-based router, though
> getting the info to snort would probably take a little work.
>
> --
> Jim Hranicky
> IT Security Engineer
> Office of Information Security and Compliance
> University of Florida
>
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-August/015186.html
>
> Seems like it should work for a regular linux-based router, though
> getting the info to snort would probably take a little work.
>
> --
> Jim Hranicky
> IT Security Engineer
> Office of Information Security and Compliance
> University of Florida
0 new messages