This won't get you all the way there. If you haven't looked at it yet maybe try setting up Bro to dissect your network traffic in realtime. They have a fancy SSL analyzer, however it is not going to fully decrypt all of your SSL sessions. It will report on keys, signing, sessions, etc for nearly everything speaking ssl. Jump right to pages 165/166 for an overview: http://tracker.bro-ids.org/bro/export/5bf18fdb7f1d54d290728ce02b95e1579b 3a65f0/bro/doc/ref-manual/Bro-Ref-Manual.pdf
I would drop by #bro-ids on freenode. Tangently related, with the 2.0 release out of the box you can start to get real fancy and detect things like browser plugins off the wire, dump plain text passwords, etc. The 2.0 release has pretty good protocol coverage and those guys are working their butts off on SMB and others. Other stuff you may need to capture and disassemble offline w/ Xplico, chaosreader, wireshark, etc. Bro is now included in security onion; highly recommend it. It also has daemonlogger (for full packet capture), snort/suricata, sguil, xplico, wireshark, chaosreader... Best of luck. Liam Randall -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Sherif El-Deeb Sent: Wednesday, June 06, 2012 11:51 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Inspecting SSL traffic for free "A.K.A IDS/IPS onSSLconnections" Liam, Looks like just what I have been looking for, thanks a million! but it will be limited to HTTPS traffic "I guess?",... no POP3s or IMAPS. I managed yesterday to do a workaround that handled everything SSL: using SSLSplit "http://mirror.roe.ch/rel/sslsplit/sslsplit-latest.1.txt"; and iptables. After running it for few hours it works fine, will do testing for a couple of days before pushing to production. Thanks again. Sherif Eldeeb. On Thu, Jun 7, 2012 at 5:28 AM, Liam Randall <[email protected]> wrote: > squid SSl-bump might do the trick for you. > > http://wiki.squid-cache.org/Features/SslBump > > Liam Randall > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Sherif > El-Deeb > Sent: Monday, June 04, 2012 12:50 AM > To: PaulDotCom Security Weekly Mailing List > Subject: [Pauldotcom] Inspecting SSL traffic for free "A.K.A IDS/IPS > on SSLconnections" > > - I would like to inspect traffic for SSL(TLS?) connections, I already > pushed our own root CA to all machines' trusted Root certificates and > no warnings shows up when a certificate that is signed by it gets served. > > - The feature I am looking for is like "Burp's invisible proxy + > generate CA-signed per-host certificates" where a certificate is > generated on the fly for each host using a pre-defined pre-trusted > root CA while being able to inspect the payload "No, ettercap is not > production friendly and it does not allow HTTPS interception in bridge > sniffing, cain is no better". > > - I know that wireshark decrypts SSL traffic when you provide it with > the private key, the tricky part is the > "on-the-fly-per-host-certificate-generation". > > - That particular subnet's gateway is a linux machine with two NICs, > simple iptable nat, 30 computers... > > - I am aware of few commercial products that does this, but I will > appreciate telling me how to do it for free. > > Thanks in advance. > Sherif Eldeeb. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
