|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: PS (packetstack
gmail.com)
Date: Mon Feb 06 2012 - 13:49:18 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I guess I may be doing it wrong. I tried to use the .pem file for "xyz.com" in wireshark and I was unable to decrypt the traffic. I am not sure if it is due to the key file options. I am using the following: 192.168.2.1, 3128, http, "key.pem". Since squid is running on 192.168.2.1 port 3128. I will try it again to see what I where I am messing up.
As for using ICAP for ClamAV, I think I can enable icap on the squid server and forward ALL of the request to clamv so that I can sniff the unencrypted packets being sent to clamv. Problem is that I don't think that it would be a good idea to have every single request go to ClamAV just for me to sniff the traffic.
I will try the wireshark approach again and then go from there. Thank you!
On Feb 6, 2012, at 2:22 PM, Will Metcalf wrote:
> If you are using sslbump/dynamic ssl inside of squid nothing is
> preventing you from using the .pem files along with the index file
> ssl_crtd produces for use in wireshark etc. You should adjust the size
> of the DB accordingly. This would allow you to decrypt traffic going
> to from/your proxy if you have rotating packet capture. That said I
> don't know of anything that does exactly what you are talking about.
> Closest thing I've seen is AV scanning with eCAP/ClamAV in conjunction
> with sslbump/dynamic ssl.
>
> http://www.e-cap.org/Downloads
>
> Regards,
>
> Will
>
> On Mon, Feb 6, 2012 at 12:53 PM, PS <packetstackgmail.com> wrote:
>> Do you have personal experience with viewssld?
>>
>> I would like to do this for connections that are made out to the internet. Since I do not have the private keys for the public web servers, I will be using a proxy server (squid) with its ssl-bump feature to perform the sslmitm. From looking at the config file of viewssld, it looks like I will have to provide a certificate for each website that I would like to monitor. Is that how sslmitm is usually performed?
>>
>> Do you know if many companies have sslmitm for internet connections, or is it primarily used for reverse proxy implementations?
>>
>> Thank you!
>>
>> On Feb 6, 2012, at 12:04 PM, Richard Bejtlich wrote:
>>
>>> This is a popular question...
>>>
>>> http://resources.infosecinstitute.com/ssl-decryption/
>>>
>>> Sincerely,
>>>
>>> Richard
>>>
>>> On Mon, Feb 6, 2012 at 11:51 AM, PS <packetstackgmail.com> wrote:
>>>> Hello,
>>>>
>>>> Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?
>>>>
>>>> Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.
>>>>
>>>> Thanks!
>>>>
>>>> Victor Pineiro
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Try before you buy = See our experts in action!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-userslists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]