[Oisf-users] Decrypt ssl sessions
robert.vineyard at oit.gatech.edu
Mon Nov 21 14:49:26 UTC 2011
On 11/21/2011 9:33 AM, carlopmart wrote:
> Maybe it is an off-topic, but afaik suricata doesn't decrypts ssl
> sessions, correct?? But, exists some opensource tool that can do it and
> pass traffic to suricata to analyze it??
I don't think it's off-topic at all, and in fact is a feature that would
give Suricata a competitive advantage over many other IDS systems -
We've observed attackers utilizing encryption to mask their activities,
often sending malicious traffic over legitimate HTTPS or SSH channels. This
technique is generally successful in allowing them to bypass traditional
signature-based IDS setups.
There are some commercially-available products that either include SSL
decryption or offer it as an add-on, including one from Sourcefire.
I think a good first start if there's enough interest in pursuing this type
of functionality would be real-time decryption of private key-escrowed
legitimate traffic. A number of application-layer "next generation"
firewalls can do this with minimal additional overhead, particularly
considering some of the crypto-acceleration features built in to recent CPUs
from Intel and others - never mind the ongoing Suricata CUDA development.
GPU's could be leveraged for SSL decryption as well...
Unfortunately I don't really have much in the way of development resources
to offer here, but I may be able to provide testing facilities in our
high-traffic university environment where such a feature would be heavily
Robert Vineyard, CISSP, RHCE
Senior Information Security Engineer
Georgia Tech Office of Information Technology
404.385.6900 (office/cell) / 404.894.9548 (fax)
More information about the Oisf-users