Re: SSL and Snort

[Doug Burks <doug.burks () gmail com>]

Is your .pem file PKCS#8 format by chance?  If so, you may need to
convert it to PKCS#1 format as shown here:
http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html

Regards,
Doug

On Mon, Feb 6, 2012 at 2:49 PM, PS <packetstack () gmail com> wrote:
> I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt 
> the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, 
> "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
>
> As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv 
> so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a 
> good idea to have every single request go to ClamAV just for me to sniff the traffic.
>
> I will try the wireshark approach again and then go from there. Thank you!
>
> On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:
>
> > If you are using sslbump/dynamic ssl inside of squid nothing is
> > preventing you from using the .pem files along with the index file
> > ssl_crtd produces for use in wireshark etc. You should adjust the size
> > of the DB accordingly. This would allow you to decrypt traffic going
> > to from/your proxy if you have rotating packet capture. That said I
> > don't know of anything that does exactly what you are talking about.
> > Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
> > with sslbump/dynamic ssl.
> >
> > http://www.e-cap.org/Downloads
> >
> > Regards,
> >
> > Will
> >
> > On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstack () gmail com> wrote:
> > > Do you have personal experience with viewssld?
> > >
> > > I would like to do this for connections that are made out to the internet. Since I do not have the private keys for 
> > > the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. 
> > > From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website 
> > > that I would like to monitor. Is that how sslmitm is usually performed?
> > >
> > > Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy 
> > > implementations?
> > >
> > > Thank you!
> > >
> > > On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:
> > >
> > > > This is a popular question...
> > > >
> > > > http://resources.infosecinstitute.com/ssl-decryption/
> > > >
> > > > Sincerely,
> > > >
> > > > Richard
> > > >
> > > > On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstack () gmail com> wrote:
> > > > > Hello,
> > > > >
> > > > > Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
> > > > >
> > > > > Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
> > > > >
> > > > > Thanks!
> > > > >
> > > > > Victor Pineiro
> > > > >
> > > > >
> > > > > ------------------------------------------------------------------------------
> > > > > Try before you buy = See our experts in action!
> > > > > The most comprehensive online learning library for Microsoft developers
> > > > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > > > > Metro Style Apps, more. Free future releases when you subscribe now!
> > > > > http://p.sf.net/sfu/learndevnow-dev2
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Try before you buy = See our experts in action!
> > > The most comprehensive online learning library for Microsoft developers
> > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > > Metro Style Apps, more. Free future releases when you subscribe now!
> > > http://p.sf.net/sfu/learndevnow-dev2
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!