I don't think that the honeywall can do it, as it doesn't have an ip. It's completely transparent to the honeypot and also to the internet.
You could put something running cain into your honeynet and do arp spoofing to redirect the traffic to yourself. Cain does ssl proxying pretty well and is free. ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Fri Dec 26 15:42:46 2008 Subject: [Honeywall] SSL connections Hi everybody, I'm new to this list, and maybe I'm asking this question at the wrong place... but even if so, maybe you can direct me into the right direction? My problem is that some malware I'm monitoring is using SSL connections to communicate with its CC, and I'd like to look into the decrypted SSL traffic. Fortunately the malware does nto check the server certificate, so it would work to put a transparent SSL proxy in between. I was hoping the honeywall would implement something like this, as it already provides transparent HTTP proxies. All what would be needed is simulating an SSL server to the malware, decrpyting everything and log it, and put it back into a new SSL connecttion to the real CC. Of course recognizing SSL traffic is another thing, but as first approach anything directed to a port 443 would suffice. But as far as I can say, there is no such feature there... As SSL protocols between malware and CC become more popular, I'm pretty sure such a feature would be quite useful for any kind of honeynet project as well, just I don't seem to be able to find anything useful using google. There are commercial products like the one from Netronome (google for "transparent ssl proxy"), but I didn't find anything in the opensource area. Actually the malware I'm working with is fortunately using SSL proxies if configured in IE, so in this particular case such an SSL proxy need not even be transparent (though I'd prefer a tranparent solution as it is much easier). So I thought Squid might be an alternative. But it seems Squid can't translate a request to its SSL proxy into a normal SSL request and decrypt in between... so this approach doesn't seem to work neither. There are some IE plugins (Komodia), but this most probably wouldn't work, as teh malware doesn't work from within IE, so a real proxy solution would be preferable. Any help would be appreciated, thanks in advance... Andy _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
