[Snort-users] SSL and Snort

PS packetstack at ...11827...
Mon Feb 6 15:52:52 EST 2012


Thanks Doug!

I will follow those steps to see if I can get it to work. 

When I first tried it I had the same problem due to the key file being in a PKCS#8 format. I converted it to PKCS#1 format and tried again and saw that it was loaded into Wireshark. I retried to see if the traffic was decrypted but unfortunately it wasn't. Did the key file that was being used contain both the private key and the certificate of the server or just the private key?

On Feb 6, 2012, at 3:04 PM, Doug Burks wrote:

> Is your .pem file PKCS#8 format by chance?  If so, you may need to
> convert it to PKCS#1 format as shown here:
> http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
> 
> Regards,
> Doug
> 
> On Mon, Feb 6, 2012 at 2:49 PM, PS <packetstack at ...11827...> wrote:
>> I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
>> 
>> As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
>> 
>> I will try the wireshark approach again and then go from there. Thank you!
>> 
>> On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:
>> 
>>> If you are using sslbump/dynamic ssl inside of squid nothing is
>>> preventing you from using the .pem files along with the index file
>>> ssl_crtd produces for use in wireshark etc. You should adjust the size
>>> of the DB accordingly. This would allow you to decrypt traffic going
>>> to from/your proxy if you have rotating packet capture. That said I
>>> don't know of anything that does exactly what you are talking about.
>>> Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
>>> with sslbump/dynamic ssl.
>>> 
>>> http://www.e-cap.org/Downloads
>>> 
>>> Regards,
>>> 
>>> Will
>>> 
>>> On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstack at ...11827...> wrote:
>>>> Do you have personal experience with viewssld?
>>>> 
>>>> I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed?
>>>> 
>>>> Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations?
>>>> 
>>>> Thank you!
>>>> 
>>>> On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:
>>>> 
>>>>> This is a popular question...
>>>>> 
>>>>> http://resources.infosecinstitute.com/ssl-decryption/
>>>>> 
>>>>> Sincerely,
>>>>> 
>>>>> Richard
>>>>> 
>>>>> On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstack at ...11827...> wrote:
>>>>>> Hello,
>>>>>> 
>>>>>> Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
>>>>>> 
>>>>>> Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
>>>>>> 
>>>>>> Thanks!
>>>>>> 
>>>>>> Victor Pineiro
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Try before you buy = See our experts in action!
>>>>>> The most comprehensive online learning library for Microsoft developers
>>>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Try before you buy = See our experts in action!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> Doug Burks
> SANS GSE and Community Instructor
> Security Onion | http://securityonion.blogspot.com
> President, Greater Augusta ISSA | http://augusta.issa.org





More information about the Snort-users mailing list