Decrypting SSL traffic using custom DLP certificates

Furkan Çalışkan

unread,

Aug 23, 2016, 5:06:22 AM8/23/16

to security-onion

Hi,

As a PoC work, I'm trying to place a SO sensor between a firewall and a SSL aware DLP device. DLP device can decrypt the SSL traffic using a intermediate CA and domain-deployed endpoint SSL proxy certificates.

|--------|
FW----- | DLP |-------| ENDPOINTS
| |--------|
|
|
SO

Since, outer-world is talking with my endpoints via my SSL cert (SSL session is ended on DLP and DLP creating a new SSL connection using my cert)

Is there any reliable method for security onion can DECRYPT all the traffic using root/sub-root SSL private key?

Regards,

Grep 8000

unread,

Aug 25, 2016, 9:49:52 AM8/25/16

to security-onion

In the past I have successfully decrypted SSL streams with a given private key using tshark. There's a decent overview here: https://minnmyatsoe.com/2016/01/using-tshark-to-decrypt-ssl-tls-packets/

From there you'd need to find a way to direct the raw decrypted traffic to a Security Onion monitor interface.

Kevin Branch

unread,

Aug 25, 2016, 1:28:14 PM8/25/16

to securit...@googlegroups.com

Some devices that do avtive SSL decryption provide the option to mirror the decrypted traffic out an additional port to feed to your NSM. For example, certain Palo Alto firewalls offer a feature called "Decryption Port Mirror" for DLP or general NSM use.

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/networking-features/decryption-port-mirror

If your DLP device happens to support this, it would probably be much easier that trying to get SO to do passive SSL decryption which would be hit and miss at best thanks to PFS.

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Furkan Çalışkan

unread,

Aug 26, 2016, 3:34:41 AM8/26/16

to security-onion

23 Ağustos 2016 Salı 12:06:22 UTC+3 tarihinde Furkan Çalışkan yazdı:

Thanks. I wish there was a feature for this in SO :)

Furkan Çalışkan

unread,

Aug 28, 2016, 6:11:18 AM8/28/16

to security-onion

26 Ağustos 2016 Cuma 10:34:41 UTC+3 tarihinde Furkan Çalışkan yazdı:

This may help someone else; http://resources.infosecinstitute.com/ssl-decryption/

Reply all

Reply to author

Forward