Wow, That's a lot to look into ... will start with security-onion and explore what's included, and if I reached something useful will right back about it.
You sir have been extremely helpful! thanks again. Regards, Sherif. On Thu, Jun 7, 2012 at 7:49 AM, Liam Randall <[email protected]> wrote: > This won't get you all the way there. > > If you haven't looked at it yet maybe try setting up Bro to dissect your > network traffic in realtime. They have a fancy SSL analyzer, however it > is not going to fully decrypt all of your SSL sessions. It will report > on keys, signing, sessions, etc for nearly everything speaking ssl. > Jump right to pages 165/166 for an overview: > http://tracker.bro-ids.org/bro/export/5bf18fdb7f1d54d290728ce02b95e1579b > 3a65f0/bro/doc/ref-manual/Bro-Ref-Manual.pdf > > I would drop by #bro-ids on freenode. > > Tangently related, with the 2.0 release out of the box you can start to > get real fancy and detect things like browser plugins off the wire, dump > plain text passwords, etc. The 2.0 release has pretty good protocol > coverage and those guys are working their butts off on SMB and others. > > Other stuff you may need to capture and disassemble offline w/ Xplico, > chaosreader, wireshark, etc. > > Bro is now included in security onion; highly recommend it. It also has > daemonlogger (for full packet capture), snort/suricata, sguil, xplico, > wireshark, chaosreader... > > Best of luck. > > Liam Randall > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Sherif > El-Deeb > Sent: Wednesday, June 06, 2012 11:51 PM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Inspecting SSL traffic for free "A.K.A IDS/IPS > onSSLconnections" > > Liam, > Looks like just what I have been looking for, thanks a million! but it > will be limited to HTTPS traffic "I guess?",... no POP3s or IMAPS. > > I managed yesterday to do a workaround that handled everything SSL: > using SSLSplit "http://mirror.roe.ch/rel/sslsplit/sslsplit-latest.1.txt"; > and iptables. > > After running it for few hours it works fine, will do testing for a > couple of days before pushing to production. > > Thanks again. > Sherif Eldeeb. > > On Thu, Jun 7, 2012 at 5:28 AM, Liam Randall <[email protected]> > wrote: >> squid SSl-bump might do the trick for you. >> >> http://wiki.squid-cache.org/Features/SslBump >> >> Liam Randall >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Sherif >> El-Deeb >> Sent: Monday, June 04, 2012 12:50 AM >> To: PaulDotCom Security Weekly Mailing List >> Subject: [Pauldotcom] Inspecting SSL traffic for free "A.K.A IDS/IPS >> on SSLconnections" >> >> - I would like to inspect traffic for SSL(TLS?) connections, I already > >> pushed our own root CA to all machines' trusted Root certificates and >> no warnings shows up when a certificate that is signed by it gets > served. >> >> - The feature I am looking for is like "Burp's invisible proxy + >> generate CA-signed per-host certificates" where a certificate is >> generated on the fly for each host using a pre-defined pre-trusted >> root CA while being able to inspect the payload "No, ettercap is not >> production friendly and it does not allow HTTPS interception in bridge > >> sniffing, cain is no better". >> >> - I know that wireshark decrypts SSL traffic when you provide it with >> the private key, the tricky part is the >> "on-the-fly-per-host-certificate-generation". >> >> - That particular subnet's gateway is a linux machine with two NICs, >> simple iptable nat, 30 computers... >> >> - I am aware of few commercial products that does this, but I will >> appreciate telling me how to do it for free. >> >> Thanks in advance. >> Sherif Eldeeb. >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
