search

sonertari / SSLproxy

Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection
BSD 2-Clause "Simplified" License
377 stars 98 forks source link

FilterRules prevents packets from being replayed in split mode #56

Closed GhostNaix closed 11 months ago

GhostNaix commented 11 months ago

Hi, I'm trying to operate SSLProxy with the listed config and believe I have encountered a bug. Whenever I enable FilterRule to whitelist a specific website (enable passthrough for particular sites or IPs) SSLproxy does not replay the decrypted traffic on the interface specified however when I comment the FilterRules out, SSLproxy returns decrypted traffic to the interface.

When the FilterRule is active, I know that the proxy is still decrypting trafffic because When I goto the security tab of chrome I can see the self signed certificate on other webistes other than the one I listed as a passthrough.

OS: Ubuntu 22.04.3 LTS

Output of sslproxy -V:

SSLproxy v0.9.4 (built 2023-08-13)
Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 3.0.2 15 Mar 2022 (30000020)
rtlinked against OpenSSL 3.0.2 15 Mar 2022 (30000020)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.10.1 (with TPACKET_V3)
compiled against sqlite 3.37.2
rtlinked against sqlite 3.37.2
4 CPU cores detected

Output of uname -a: Linux UbuntuBox 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Exact command line arguments sslproxy -f "/etc/SSLProxy/sslproxy.conf"

NAT redirection rules iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

Configuration of SSLproxy

# Sample configuration for sslproxy v0.9.4
#
# Use the -f command line option to start sslproxy with a config file.
# See sslproxy.conf(5) and sslproxy(1) for documentation.
#
# Note that the ordering of options, rules, and proxyspecs in configuration 
# files (and on the command line) is important. For example, rules and 
# proxyspecs can only make use of the options defined earlier.

# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
#CACert CA/CA.crt
CACert /Certificates/SSL_Inspection.crt

# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
#CAKey CA/CA.key
CAKey /Certificates/SSL_Inspection.key

# Daemon mode: run in background, log error messages to syslog.
# Equivalent to -d command line option.
Daemon no

# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
# Enabled as this prevented it from crashing when running as a service
# in version v0.9.4
Debug yes

# Mirror packets to interface.
# Equivalent to -I command line option.
MirrorIf ens33

# Mirror packets to target address (used with MirrorIf).
# Equivalent to -T command line option. Leave commented if the target is
# irrelevant (e.g. mirror to dummy device)
MirrorTarget 192.168.1.206

# Connect log: log one line summary per connection to logfile.
# Equivalent to -l command line option.
#ConnectLog /var/run/ips/sslproxy/connect.log
#ConnectLog connect.log

# Content log: full data to file or named pipe
# (excludes ContentLogDir/ContentLogPathSpec).
# Equivalent to -L command line option.
#ContentLog content.log

# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/run/sslproxy.pid

# Use the given OpenSSL ciphers spec.
# Equivalent to -s command line option.
# (default: ALL:-aNULL)
#Ciphers ALL:-aNULL

# Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
# (default: 2048)
LeafKeyRSABits 4096

# Close connections after this many seconds of idle time
ConnIdleTimeout 120

# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10

# Set open files limit, use 50-10000
OpenFilesLimit 8192

ProxySpec {
    # Https Inspection proxy
    Proto https
    Addr 0.0.0.0
    Port 8443

    # Passthrough SSL connections if they cannot be split because of client cert
    # auth or no matching cert and no CA.
    # Equivalent to -P command line option.
    # (default: drop)
    Passthrough yes

    #Ciphers MEDIUM:HIGH
    #CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

    # Remove HTTP header line for Accept-Encoding
    RemoveHTTPAcceptEncoding no

    # Remove HTTP header line for Referer
    RemoveHTTPReferer yes

    # When disabled, never add the SNI to forged certificates, even if the SNI
    # provided by the client does not match the server certificate's CN/SAN.
    # Helps pass the wrong.host test at https://badssl.com/.
    AllowWrongHost no

    # Require authentication for users to use SSLproxy
    UserAuth no

    # Validate proxy spec protocols
    ValidateProto yes

    # Max HTTP header size in bytes for protocol validation
    MaxHTTPHeaderSize 8192

    # Filter Rules
    # Allow UI.com
    FilterRule {
        Action Pass
        SrcIp *
        SNI ui.com*
        CN ui.com*
    }

}
sonertari commented 11 months ago

This is from README:

If no filtering rules are defined for a proxyspec, all log actions for that proxyspec are enabled. Otherwise, all log actions are disabled, and filtering rules should enable them specifically.

I think this is not a bug, but probably not the best default behavior. Can you add another rule like the following to that proxyspec: Match * log mirror, so that the other connections are mirror logged (hopefully, if not then perhaps that's a bug).

GhostNaix commented 11 months ago

Ah I see. Thank You and my appologies for wasting your time then, by adding Match * log mirror to the proxyspec, this allowed the decrypted packets to be mirrored to the specified interface.

Also some notes I learned along the way:

Say you have some filter rules like the following:

-- Snip --
FilterRule {
      Action Pass
      SrcIp *
      SNI .ui.com*
      CN .ui.com*
}
-- Snip --

You must place it above the FilterRule as sslproxy reads the config sequentially like so:

-- Snip --
Match * log mirror
FilterRule {
      Action Pass
      SrcIp *
      SNI .ui.com*
      CN .ui.com*
}
-- Snip --

or like this:

-- Snip --
FilterRule {
     Action Match
     SrcIp *
     Log mirror
}
FilterRule {
      Action Pass
      SrcIp *
      SNI .ui.com*
      CN .ui.com*
}
-- Snip --

PS: In Mirror/Split mode this is working with suricata v6.0.5 and higher although it may put strain on the interface you are capturing on.