[Snort-users] SSL and Snort

Doug Burks doug.burks at ...11827...
Mon Feb 6 15:04:59 EST 2012


Is your .pem file PKCS#8 format by chance?  If so, you may need to
convert it to PKCS#1 format as shown here:
http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html

Regards,
Doug

On Mon, Feb 6, 2012 at 2:49 PM, PS <packetstack at ...11827...> wrote:
> I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
>
> As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
>
> I will try the wireshark approach again and then go from there. Thank you!
>
> On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:
>
>> If you are using sslbump/dynamic ssl inside of squid nothing is
>> preventing you from using the .pem files along with the index file
>> ssl_crtd produces for use in wireshark etc. You should adjust the size
>> of the DB accordingly. This would allow you to decrypt traffic going
>> to from/your proxy if you have rotating packet capture. That said I
>> don't know of anything that does exactly what you are talking about.
>> Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
>> with sslbump/dynamic ssl.
>>
>> http://www.e-cap.org/Downloads
>>
>> Regards,
>>
>> Will
>>
>> On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstack at ...11827...> wrote:
>>> Do you have personal experience with viewssld?
>>>
>>> I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed?
>>>
>>> Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations?
>>>
>>> Thank you!
>>>
>>> On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:
>>>
>>>> This is a popular question...
>>>>
>>>> http://resources.infosecinstitute.com/ssl-decryption/
>>>>
>>>> Sincerely,
>>>>
>>>> Richard
>>>>
>>>> On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstack at ...11827...> wrote:
>>>>> Hello,
>>>>>
>>>>> Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
>>>>>
>>>>> Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Victor Pineiro
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Try before you buy = See our experts in action!
>>>>> The most comprehensive online learning library for Microsoft developers
>>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Try before you buy = See our experts in action!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-dev2
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org




More information about the Snort-users mailing list