I have Security Onion installed and doing full packet capture on my home network. I also have a firewall (pfSense) which does my routing. I have Security Onion sitting just behind my firewall and mirrored from a switch. It works great except I want to decrypt my SSL traffic. I would very much prefer to have the decryption take place on the fly instead of manually decrypting with wireshark that way Snort sees everything as well. I installed squid on the firewall to try to proxy my traffic but it is not working right. It forwards everything on but I can't get it to decrypt (run live capture on the firewall and it is still encrypted). If I can get this working, will that be enough (using the firewall's private key to decrypt)? If so, how would I go about setting this up in Security Onion? Thank you for your help.
Sniffing Decrypted TLS Traffic With Security Onion
The SslBump feature in Squid allows the proxy to inspect the decrypted web traffic, but the tools on the Security Onion node (Snort, Zeek etc.) will still only see the encrypted traffic because they don't support passive TLS decryption.
Wouldn't it be awesome to have a NIDS like Snort, Suricata or Zeek inspect HTTP requests leaving your network inside TLS encrypted HTTPS traffic? Yeah, we think so too! We have therefore created this guide on how to configure Security Onion to sniff decrypted TLS traffic with help of PolarProxy.
PolarProxy is a forward TLS proxy that decrypts incoming TLS traffic from clients, re-encrypts it and forwards it to the server. One of the key features in PolarProxy is the ability to export the proxied traffic in decrypted form using the PCAP format (a.k.a. libpcap/tcpdump format). This makes it possible to read the decrypted traffic with external tools, without having to perform the decryption again. It also enables packet analysis using tools that don't have built-in TLS decryption support.
Run the Security Onion setup utility by double-clicking the "Setup" desktop shortcut or executing "sudo sosetup" from a terminal. Follow the setup steps in the Production Deployment documentation and select "decrypted" as your sniffing interface.
The decrypted traffic can now be accessed via PolarProxy's PCAP-over-IP service on TCP 57012. We can leverage tcpreplay and netcat to replay these packets to our dummy network interface in order to have them picked up by Security Onion. nc localhost 57012 tcpreplay -i decrypted -t - However, it's better to create a systemd service that does this automatically on bootup. We therefore create a file called /etc/systemd/system/tcpreplay.service with the following contents: [Unit] Description=Tcpreplay of decrypted traffic from PolarProxy After=PolarProxy.service [Service] Type=simple ExecStart=/bin/sh -c 'nc localhost 57012 tcpreplay -i decrypted -t -' Restart=on-failure RestartSec=3 [Install] WantedBy=multi-user.target
Wait for the Elastic stack to initialize, so that the intercepted network traffic becomes available through the Kibana GUI. You can check the status of the elastic initialization with "sudo so-elastic-status".
Well, not entirely. Like everything else in engineering, encrypted traffic presents trade-offs. A big one is that it makes network traffic less transparent to your own security people and monitoring systems. How are you supposed to check network traffic for malicious programs and problematic content?
One possibility for making a lot, if not all, of your encrypted traffic inspectable is a Secure Sockets Layer (SSL)/TLS proxy server. Communications, including encrypted communications, go through the proxy server, which accepts the encrypted connection on one end, decrypts the traffic, performs some operation, then reencrypts and sends the traffic to the destination. The operations the proxy server performs can include security operations, such as malware scanning and blocking prohibited sites. Many third-party security products operate as SSL/TLS proxies.
Proxy servers operating in this fashion add complexity to an already complex network configuration. While they can actually accelerate traffic through caching, they also have the potential to slow it. An alert from the CERT Coordination center at the U.S. Department of Homeland Security in 2017 warned that many of the products in this space do not properly validate certificates or forward error conditions. Many security experts, like Will Dormann at Carnegie Mellon, argue that SSL inspection is not worth the risks that it introduces.
The traffic legitimately encrypted (at the level of network packets) is typically done so with SSL/TLS. You might encounter other encrypted protocols. Some might be legitimate, but others have no place on your network.
Network architecture in the mobile/telecom space has taken a lot of steps over the last few 3GPP releases to isolate control/signaling traffic (the stuff you'd likely want to troubleshoot with) from the simpler, high-bandwidth user-plane data flows, logically and in most cases physically on the wire. This approach allows for the capture of signaling traffic relevant for sessions that could be carrying Tbps's of bandwidth by capturing on very low-bandwidth links.
The traffic capturing and aggregation/filtering/sorting technologies out there are keeping up with increased bandwidth pretty well. The quick rise of companies like VSS who sell dedicated aggregators for filtering high-bandwidth links into isolate flows for analysis, the move of vendors like Cisco to performing SPAN on their routing platforms in hardware rather than the historically processor-crippling methods they'd used in the past, the advancement of new in-line capture methods such as JDSU's Packet Portal (SFPs in a router or switch that can intelligently self-mirror traffic to an analyzer), off the top of my head are just a few examples of the market rising to meet these kinds of challenges.
In my post onEnabling FortiGate SSL MITM inspection we deployed SSL inspection using the fortigate so that we can provide Fortigate integrated security to SSL encrypted traffic flows, but what if we would like to perform other analysis on this traffic? There are tons of tools out there, from network analyzers, IDS, SIEMs, etc. that will offer you the ability to inspect traffic out of band and analyze it, so you can look for various patterns, network flows, etc.
Fortigates, as of FortiOS 6.0 offer you the ability to export a packet flow that has been SSL inspected by a firewall, which is what I am going to do in this post. Unfortunately I dont have hardware to plug into a SPAN port, and I want to inspect my traffic in a virtual machine so im going to use GRE enapsulation to send a decrypt SPAN to aSecurity Onion installation. If you arent aware of security onion, you should get familiar with it, it has a lot of REALLY cool features that are super useful for analyzing traffic flows.
Deploying Security Onion is a little outside the scope of this post but its not terribly hard if you follow the documentation and guides on theSecurity Onion Website. For this lab im just deploying a all-in-one VM based on the security onion ISO (version 16.04.6.6). I deployed it into my Proxmox VE hypervisor environment.
In this paper, we shall discuss HTTPS-HTTP over SSL/TLS, the most common encrypted network traffic protocols. In a communication encrypted by SSL/TLS, the hosts have to first agree on encryption methods and their parameters. Therefore, the initial packets contain unencrypted messages with information about the client and server. This information varies among different clients and their versions. The similar client identifier is a User-Agent value in a HTTP header, which is commonly used for identifying the client and classifying traffic. However, only the SSL/TLS handshake can be observed in a HTTPS connection without decrypting the payload. Therefore, we approach the problem of identifying the SSL/TLS client and classifying HTTPS traffic by building up a dictionary of SSL/TLS handshake fingerprints and their corresponding User-Agents.
Third, we shall use the pairs of SSL/TLS fingerprints and User-Agents as a dictionary to assign User-Agents to the HTTPS connections observed during the measurement. We shall discuss the quality of the obtained pairs with respect to the dictionary size and accuracy of the User-Agent estimation. The goal of this part is to estimate the size and accuracy of a dictionary which could be used for identifying clients on a large scale and classifying network traffic.
The motivation for our work came from three main areas of interest. Firstly, it is the analysis of encrypted network traffic in general, including identification and characterization of encrypted network traffic and classification of communicating clients. From this point of view, we are not interested in individual clients but rather overall characteristics of network traffic. The second area of interest is the client identification, which aims to obtaining information on an individual client. This applies mostly on a web browser fingerprinting. The third area is network security and forensics, where we typically want to detect activity of a specific network host, detect malicious clients, and evaluate the activity of unknown or unusual clients.
We have to understand the network traffic before we can proceed to client identification and detection of suspicious or even malicious activity. Therefore, we have to observe network traffic to get insight into typical patterns. Specifically, in this case, we have to retrieve record of encrypted network traffic containing as much different patterns as possible. To motivate our work, we decided to analyze real network traffic in a campus network instead of generating the traffic patterns in laboratory environment. Therefore, we can get more interesting results which are not necessarily related to the proposed experiment. These results can later be useful for network administrators, security practitioners, and scientific community. 2ff7e9595c
Comments