Hi everybody,
I'm new to this list, and maybe I'm asking this question at the wrong
place... but even if so, maybe you can direct me into the right direction?
My problem is that some malware I'm monitoring is using SSL connections
to communicate with its CC, and I'd like to look into the decrypted SSL
traffic. Fortunately the malware does nto check the server certificate,
so it would work to put a transparent SSL proxy in between. I was hoping
the honeywall would implement something like this, as it already
provides transparent HTTP proxies. All what would be needed is
simulating an SSL server to the malware, decrpyting everything and log
it, and put it back into a new SSL connecttion to the real CC. Of course
recognizing SSL traffic is another thing, but as first approach anything
directed to a port 443 would suffice. But as far as I can say, there is
no such feature there... As SSL protocols between malware and CC become
more popular, I'm pretty sure such a feature would be quite useful for
any kind of honeynet project as well, just I don't seem to be able to
find anything useful using google. There are commercial products like
the one from Netronome (google for "transparent ssl proxy"), but I
didn't find anything in the opensource area.
Actually the malware I'm working with is fortunately using SSL proxies
if configured in IE, so in this particular case such an SSL proxy need
not even be transparent (though I'd prefer a tranparent solution as it
is much easier). So I thought Squid might be an alternative. But it
seems Squid can't translate a request to its SSL proxy into a normal SSL
request and decrypt in between... so this approach doesn't seem to work
neither. There are some IE plugins (Komodia), but this most probably
wouldn't work, as teh malware doesn't work from within IE, so a real
proxy solution would be preferable.
Any help would be appreciated, thanks in advance... Andy
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
