[Oisf-users] Decrypt ssl sessions

[Robert Vineyard]

On 11/21/2011 9:33 AM, carlopmart wrote:
>   Maybe it is an off-topic, but afaik suricata doesn't decrypts ssl
> sessions, correct?? But, exists some opensource tool that can do it and
> pass traffic to suricata to analyze it??

I don't think it's off-topic at all, and in fact is a feature that would
give Suricata a competitive advantage over many other IDS systems -
including Snort.

We've observed attackers utilizing encryption to mask their activities,
often sending malicious traffic over legitimate HTTPS or SSH channels. This
technique is generally successful in allowing them to bypass traditional
signature-based IDS setups.

There are some commercially-available products that either include SSL
decryption or offer it as an add-on, including one from Sourcefire.

I think a good first start if there's enough interest in pursuing this type
of functionality would be real-time decryption of private key-escrowed
legitimate traffic. A number of application-layer "next generation"
firewalls can do this with minimal additional overhead, particularly
considering some of the crypto-acceleration features built in to recent CPUs
from Intel and others - never mind the ongoing Suricata CUDA development.
GPU's could be leveraged for SSL decryption as well...

Unfortunately I don't really have much in the way of development resources
to offer here, but I may be able to provide testing facilities in our
high-traffic university environment where such a feature would be heavily
utilized.

--
Robert Vineyard, CISSP, RHCE
Senior Information Security Engineer
Georgia Tech Office of Information Technology
404.385.6900 (office/cell) / 404.894.9548 (fax)