[Snort-users] SSL and Snort

PS packetstack at ...11827...
Tue Feb 7 18:47:46 EST 2012


So so far I have tried everything if not almost every suggestion that was made.

I tend to get segmentation faults left and right with ssldump and sslsniff. I can't get viewssld to compile correctly and last but not least, Wireshark and tshark haven't worked for me neither.

This is what I am doing step by step...

Squid Server - 192.168.2.1 listening on port 3128
Client: Mac OSX - 192.168.2.10


1. I take a look at the index.txt file in the /usr/local/squid/var/lib/ssl_db directory and write down the serial number of the .pem file that corresponds to the domain. For this example we will use: www.xyz.com and the serial number is 123456

2. I grab the .pem file from the /usr/local/squid/var/lib/ssl_crtd/certs/ directory. The file is called 123456.pem (It contains the private key and cert)

3. Next I scp 123456.pem from the squid server (192.168.2.1) to the client (192.168.2.10).

4.On the client, I then convert the .pem file to a format that Wireshark is able to import (RSA). I do this by issuing the following commands:
	4a.openssl pkcs8 -topk8 -in 123456.pem -out temp.pem
	4b.openssl rsa -in temp.pem -out rsa.pem

5. Now I open up wireshark and click on Edit -> Preferences -> Protocols -> SSL and click on "Edit..." next the RSA Key list:

6.I click on New and then he following information is entered:
6a. IP address: 192.168.2.1 (Squid Server)
6b.Port: 3128 (Squid port) Note: This is how the squid http_port option is configured in the squid.conf file: http_port 192.168.2.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB  key=/usr/local/squid/ssl_cert/private/squid.pem cert=/usr/local/squid/ssl_cert/squid.pem 
6c. Protocol: I have tried both data and http
6d.Key: /Users/me/rsa.pem

7. Next to SSL debug file, I add /Users/me/ssl-debug.log

8. I then start Wireshark and browse over to https://www.xyz.com with firefox which is configured to use port 3128 as the proxy port.

All of that results in nothing but encrypted traffic. The traffic looks the same as it would if I had never had added the key. Looking at the ssl-debug.log, I can see that wireshark was able to import the key successfully.

I don't know where I am messing up in on that list. Any ideas? 

On Feb 6, 2012, at 3:04 PM, Doug Burks wrote:

> Is your .pem file PKCS#8 format by chance?  If so, you may need to
> convert it to PKCS#1 format as shown here:
> http://pauldotcom.com/2010/10/tsharkwireshark-ssl-decryption.html
> 
> Regards,
> Doug
> 
> On Mon, Feb 6, 2012 at 2:49 PM, PS <packetstack at ...11827...> wrote:
>> I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
>> 
>> As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
>> 
>> I will try the wireshark approach again and then go from there. Thank you!
>> 
>> On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:
>> 
>>> If you are using sslbump/dynamic ssl inside of squid nothing is
>>> preventing you from using the .pem files along with the index file
>>> ssl_crtd produces for use in wireshark etc. You should adjust the size
>>> of the DB accordingly. This would allow you to decrypt traffic going
>>> to from/your proxy if you have rotating packet capture. That said I
>>> don't know of anything that does exactly what you are talking about.
>>> Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
>>> with sslbump/dynamic ssl.
>>> 
>>> http://www.e-cap.org/Downloads
>>> 
>>> Regards,
>>> 
>>> Will
>>> 
>>> On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstack at ...11827...> wrote:
>>>> Do you have personal experience with viewssld?
>>>> 
>>>> I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed?
>>>> 
>>>> Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations?
>>>> 
>>>> Thank you!
>>>> 
>>>> On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:
>>>> 
>>>>> This is a popular question...
>>>>> 
>>>>> http://resources.infosecinstitute.com/ssl-decryption/
>>>>> 
>>>>> Sincerely,
>>>>> 
>>>>> Richard
>>>>> 
>>>>> On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstack at ...11827...> wrote:
>>>>>> Hello,
>>>>>> 
>>>>>> Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
>>>>>> 
>>>>>> Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
>>>>>> 
>>>>>> Thanks!
>>>>>> 
>>>>>> Victor Pineiro
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Try before you buy = See our experts in action!
>>>>>> The most comprehensive online learning library for Microsoft developers
>>>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Try before you buy = See our experts in action!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> Doug Burks
> SANS GSE and Community Instructor
> Security Onion | http://securityonion.blogspot.com
> President, Greater Augusta ISSA | http://augusta.issa.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120207/d13d376f/attachment.html>


More information about the Snort-users mailing list