Snort mailing list archives
Re: SSL and Snort
From: Doug Burks <doug.burks () gmail com>
Date: Mon, 6 Feb 2012 15:04:59 -0500
Is your .pem file PKCS#8 format by chance? If so, you may need to convert it to PKCS#1 format as shown here: http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html Regards, Doug On Mon, Feb 6, 2012 at 2:49 PM, PS <packetstack () gmail com> wrote:
I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up. As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic. I will try the wireshark approach again and then go from there. Thank you! On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:If you are using sslbump/dynamic ssl inside of squid nothing is preventing you from using the .pem files along with the index file ssl_crtd produces for use in wireshark etc. You should adjust the size of the DB accordingly. This would allow you to decrypt traffic going to from/your proxy if you have rotating packet capture. That said I don't know of anything that does exactly what you are talking about. Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction with sslbump/dynamic ssl. http://www.e-cap.org/Downloads Regards, Will On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstack () gmail com> wrote:Do you have personal experience with viewssld? I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed? Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations? Thank you! On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:This is a popular question... http://resources.infosecinstitute.com/ssl-decryption/ Sincerely, Richard On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstack () gmail com> wrote:Hello, Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort? Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis. Thanks! Victor Pineiro ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks SANS GSE and Community Instructor Security Onion | http://securityonion.blogspot.com President, Greater Augusta ISSA | http://augusta.issa.org ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SSL and Snort PS (Feb 06)
- Re: SSL and Snort Richard Bejtlich (Feb 06)
- Re: SSL and Snort PS (Feb 06)
- Re: SSL and Snort Will Metcalf (Feb 06)
- Re: SSL and Snort PS (Feb 06)
- Re: SSL and Snort Doug Burks (Feb 06)
- Re: SSL and Snort PS (Feb 06)
- Re: SSL and Snort PS (Feb 07)
- Re: SSL and Snort PS (Feb 06)
- Re: SSL and Snort Richard Bejtlich (Feb 06)
- Re: SSL and Snort Edward Fjellskål (Feb 06)
- Re: SSL and Snort PS (Feb 06)