PaulDotCom mailing list archives
Re: Inspecting SSL traffic for free "A.K.A IDS/IPS onSSLconnections"
From: "Liam Randall" <Liam.Randall () gigaco com>
Date: Thu, 7 Jun 2012 00:49:41 -0400
This won't get you all the way there. If you haven't looked at it yet maybe try setting up Bro to dissect your network traffic in realtime. They have a fancy SSL analyzer, however it is not going to fully decrypt all of your SSL sessions. It will report on keys, signing, sessions, etc for nearly everything speaking ssl. Jump right to pages 165/166 for an overview: http://tracker.bro-ids.org/bro/export/5bf18fdb7f1d54d290728ce02b95e1579b 3a65f0/bro/doc/ref-manual/Bro-Ref-Manual.pdf I would drop by #bro-ids on freenode. Tangently related, with the 2.0 release out of the box you can start to get real fancy and detect things like browser plugins off the wire, dump plain text passwords, etc. The 2.0 release has pretty good protocol coverage and those guys are working their butts off on SMB and others. Other stuff you may need to capture and disassemble offline w/ Xplico, chaosreader, wireshark, etc. Bro is now included in security onion; highly recommend it. It also has daemonlogger (for full packet capture), snort/suricata, sguil, xplico, wireshark, chaosreader... Best of luck. Liam Randall -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Sherif El-Deeb Sent: Wednesday, June 06, 2012 11:51 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Inspecting SSL traffic for free "A.K.A IDS/IPS onSSLconnections" Liam, Looks like just what I have been looking for, thanks a million! but it will be limited to HTTPS traffic "I guess?",... no POP3s or IMAPS. I managed yesterday to do a workaround that handled everything SSL: using SSLSplit "http://mirror.roe.ch/rel/sslsplit/sslsplit-latest.1.txt"; and iptables. After running it for few hours it works fine, will do testing for a couple of days before pushing to production. Thanks again. Sherif Eldeeb. On Thu, Jun 7, 2012 at 5:28 AM, Liam Randall <Liam.Randall () gigaco com> wrote:
squid SSl-bump might do the trick for you. http://wiki.squid-cache.org/Features/SslBump Liam Randall -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Sherif El-Deeb Sent: Monday, June 04, 2012 12:50 AM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Inspecting SSL traffic for free "A.K.A IDS/IPS on SSLconnections" - I would like to inspect traffic for SSL(TLS?) connections, I already
pushed our own root CA to all machines' trusted Root certificates and no warnings shows up when a certificate that is signed by it gets
served.
- The feature I am looking for is like "Burp's invisible proxy + generate CA-signed per-host certificates" where a certificate is generated on the fly for each host using a pre-defined pre-trusted root CA while being able to inspect the payload "No, ettercap is not production friendly and it does not allow HTTPS interception in bridge
sniffing, cain is no better". - I know that wireshark decrypts SSL traffic when you provide it with the private key, the tricky part is the "on-the-fly-per-host-certificate-generation". - That particular subnet's gateway is a linux machine with two NICs, simple iptable nat, 30 computers... - I am aware of few commercial products that does this, but I will appreciate telling me how to do it for free. Thanks in advance. Sherif Eldeeb. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Inspecting SSL traffic for free "A.K.A IDS/IPS on SSL connections" Sherif El-Deeb (Jun 04)
- Re: Inspecting SSL traffic for free "A.K.A IDS/IPS on SSLconnections" Liam Randall (Jun 06)
- Re: Inspecting SSL traffic for free "A.K.A IDS/IPS on SSLconnections" Sherif El-Deeb (Jun 06)
- Re: Inspecting SSL traffic for free "A.K.A IDS/IPS onSSLconnections" Liam Randall (Jun 07)
- Re: Inspecting SSL traffic for free "A.K.A IDS/IPS onSSLconnections" Sherif El-Deeb (Jun 07)
- Re: Inspecting SSL traffic for free "A.K.A IDS/IPS on SSLconnections" Sherif El-Deeb (Jun 06)
- Re: Inspecting SSL traffic for free "A.K.A IDS/IPS on SSLconnections" Liam Randall (Jun 06)