[Snort-users] SSL and Snort

PS packetstack at ...11827...
Mon Feb 6 14:49:18 EST 2012


I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.

As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.

I will try the wireshark approach again and then go from there. Thank you!

On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:

> If you are using sslbump/dynamic ssl inside of squid nothing is
> preventing you from using the .pem files along with the index file
> ssl_crtd produces for use in wireshark etc. You should adjust the size
> of the DB accordingly. This would allow you to decrypt traffic going
> to from/your proxy if you have rotating packet capture. That said I
> don't know of anything that does exactly what you are talking about.
> Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
> with sslbump/dynamic ssl.
> 
> http://www.e-cap.org/Downloads
> 
> Regards,
> 
> Will
> 
> On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstack at ...11827...> wrote:
>> Do you have personal experience with viewssld?
>> 
>> I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed?
>> 
>> Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations?
>> 
>> Thank you!
>> 
>> On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:
>> 
>>> This is a popular question...
>>> 
>>> http://resources.infosecinstitute.com/ssl-decryption/
>>> 
>>> Sincerely,
>>> 
>>> Richard
>>> 
>>> On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstack at ...11827...> wrote:
>>>> Hello,
>>>> 
>>>> Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
>>>> 
>>>> Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
>>>> 
>>>> Thanks!
>>>> 
>>>> Victor Pineiro
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Try before you buy = See our experts in action!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list