Re: SSL and Snort

[Will Metcalf <william.metcalf () gmail com>]

If you are using sslbump/dynamic ssl inside of squid nothing is
preventing you from using the .pem files along with the index file
ssl_crtd produces for use in wireshark etc. You should adjust the size
of the DB accordingly. This would allow you to decrypt traffic going
to from/your proxy if you have rotating packet capture. That said I
don't know of anything that does exactly what you are talking about.
Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
with sslbump/dynamic ssl.

http://www.e-cap.org/Downloads

Regards,

Will

On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstack () gmail com> wrote:
> Do you have personal experience with viewssld?
>
> I would like to do this for connections that are made out to the internet. Since I do not have the private keys for 
> the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From 
> looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I 
> would like to monitor. Is that how sslmitm is usually performed?
>
> Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy 
> implementations?
>
> Thank you!
>
> On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:
>
> > This is a popular question...
> >
> > http://resources.infosecinstitute.com/ssl-decryption/
> >
> > Sincerely,
> >
> > Richard
> >
> > On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstack () gmail com> wrote:
> > > Hello,
> > >
> > > Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
> > >
> > > Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
> > >
> > > Thanks!
> > >
> > > Victor Pineiro
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Try before you buy = See our experts in action!
> > > The most comprehensive online learning library for Microsoft developers
> > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > > Metro Style Apps, more. Free future releases when you subscribe now!
> > > http://p.sf.net/sfu/learndevnow-dev2
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!