[Oisf-users] Decrypt ssl sessions
Martin Holste
mcholste at gmail.com
Mon Nov 21 15:11:48 UTC 2011
Sounds like a great masters thesis for someone...
On Mon, Nov 21, 2011 at 8:49 AM, Robert Vineyard
<robert.vineyard at oit.gatech.edu> wrote:
> On 11/21/2011 9:33 AM, carlopmart wrote:
>> Maybe it is an off-topic, but afaik suricata doesn't decrypts ssl
>> sessions, correct?? But, exists some opensource tool that can do it and
>> pass traffic to suricata to analyze it??
>
> I don't think it's off-topic at all, and in fact is a feature that would
> give Suricata a competitive advantage over many other IDS systems -
> including Snort.
>
> We've observed attackers utilizing encryption to mask their activities,
> often sending malicious traffic over legitimate HTTPS or SSH channels. This
> technique is generally successful in allowing them to bypass traditional
> signature-based IDS setups.
>
> There are some commercially-available products that either include SSL
> decryption or offer it as an add-on, including one from Sourcefire.
>
> I think a good first start if there's enough interest in pursuing this type
> of functionality would be real-time decryption of private key-escrowed
> legitimate traffic. A number of application-layer "next generation"
> firewalls can do this with minimal additional overhead, particularly
> considering some of the crypto-acceleration features built in to recent CPUs
> from Intel and others - never mind the ongoing Suricata CUDA development.
> GPU's could be leveraged for SSL decryption as well...
>
> Unfortunately I don't really have much in the way of development resources
> to offer here, but I may be able to provide testing facilities in our
> high-traffic university environment where such a feature would be heavily
> utilized.
>
> --
> Robert Vineyard, CISSP, RHCE
> Senior Information Security Engineer
> Georgia Tech Office of Information Technology
> 404.385.6900 (office/cell) / 404.894.9548 (fax)
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
More information about the Oisf-users
mailing list