psmitty7373
commented
4 years ago Edit: I was thinking of SSLProxy, sorry.
Open realtmf opened 4 years ago
psmitty7373
commented
4 years ago Edit: I was thinking of SSLProxy, sorry.
realtmf
commented
4 years ago My understanding is that "-T" is used to determine the MAC address of the target device. However, in a typical IDS scenario, the monitoring (target) device does not have an IP stack bound to its promiscuous interface. And sslsplit refuses to accept "-I" without "-T". Moreover, it does not seem to support output on an interface without IP address.
So the idea would be to have "mirroring" function like the mirroring port of a switch.
Scenario: sslsplit on multihomed machine; ens192 has IP 10.0.0.42 and is where SSL interception is performed; decrypted traffic is to be sent out on ens224 which does not have an IP address, and is connected to an IDS device with its monitoring port in promiscuous mode without IP stack. (There may even be multiple devices passively monitoring the output from sslsplit, e.g. on a virtual switch that allows promiscuous mode).
Edit: the reason for using sslsplit over SSLProxy is exactly the mirroring capability ;)
erik4711
commented
4 years ago Sending decrypted SSL traffic to an IDS sounds like the standard use case for SSLsplit's "-I" feature, so I'm sure it should be doable.
However, if it cannot be solved then you might wanna try decrypting with PolarProxy and pushing the decrypted traffic to an interface with tcpreplay like this: PolarProxy -p 8443,80,443 -w - | tcpreplay -i ens224 -
A more advanced setup is available in this tutorial on how to use PolarProxy with SecurityOnion: https://netresec.com/?b=2013af4
Sorry for plugging another tool here, SSLsplit is indeed a great tool!
victorjulien
commented
3 years ago With a hack to the code I can make this work with Suricata on a local veth pair. If there is interest I can do a PR.
erik4711
commented
3 years ago @victorjulien Is there an advantage to using a veth type interface rather than a dummy?
victorjulien
commented
3 years ago @victorjulien Is there an advantage to using a
vethtype interface rather than adummy?
I don't know, I can revisit dummy as well. I tried many things to work around the arp lookup. The veth thing was the last I tried before hacking the code :)
victorjulien
commented
3 years ago I can confirm dummy works as well.
First off, I appreciate all the work you put into this great tool!
Would there be a way to implement outputting the decrypted traffic to a "raw" interface, maintaining source and destination MAC addresses, so that a device listening in promiscuous mode can pick up the decrypted traffic? (Sort of like -T without -I, since the target device has no IP stack and simply listens to all traffic, like an IDS e.g.)
Thanks!