[Oisf-users] Decrypt ssl sessions

carlopmart carlopmart at gmail.com
Mon Nov 21 15:10:51 UTC 2011


On 11/21/2011 03:49 PM, Robert Vineyard wrote:
> On 11/21/2011 9:33 AM, carlopmart wrote:
>>    Maybe it is an off-topic, but afaik suricata doesn't decrypts ssl
>> sessions, correct?? But, exists some opensource tool that can do it and
>> pass traffic to suricata to analyze it??
>
> I don't think it's off-topic at all, and in fact is a feature that would
> give Suricata a competitive advantage over many other IDS systems -
> including Snort.
>
> We've observed attackers utilizing encryption to mask their activities,
> often sending malicious traffic over legitimate HTTPS or SSH channels. This
> technique is generally successful in allowing them to bypass traditional
> signature-based IDS setups.
>
> There are some commercially-available products that either include SSL
> decryption or offer it as an add-on, including one from Sourcefire.
>
> I think a good first start if there's enough interest in pursuing this type
> of functionality would be real-time decryption of private key-escrowed
> legitimate traffic. A number of application-layer "next generation"
> firewalls can do this with minimal additional overhead, particularly
> considering some of the crypto-acceleration features built in to recent CPUs
> from Intel and others - never mind the ongoing Suricata CUDA development.
> GPU's could be leveraged for SSL decryption as well...
>
> Unfortunately I don't really have much in the way of development resources
> to offer here, but I may be able to provide testing facilities in our
> high-traffic university environment where such a feature would be heavily
> utilized.
>

Thanks Robert. For me, if a firewall it can do it, it is sufficient. But 
I do not know is whether it is possible to do it with iptables based 
firewalls, BSD, etc ...


-- 
CL Martinez
carlopmart {at} gmail {d0t} com



More information about the Oisf-users mailing list