You are not logged in.
- Topics: Active | Unanswered
#1 2018-08-09 09:45:41
- lapsio
- Member
- From: Warsaw
- Registered: 2015-09-30
- Posts: 50
Is there any open source SSL decryptor?
I'm going to implement Snort and Suricata inline IPS solutions however considering that now almost evrything goes through SSL I don't think it makes much sense to use them without SSL decryption. There's plenty of commercial SSL decryptors like for example Wheel Lynx or Gigamon but I'm looking for some open source solutions. Basically I'm looking for setup like this:
LAN - https (with my CA) - ssl decryptor - Suricata (http) - Snort (http) - ssl decryptor - L4 firewall - https (with original CA) - WORLD
Lynx can work on 4 interfaces in following manner:
encrypted output to world, encrypted output to LAN and two decrypted inline interfaces in/out that could be connected to chained Snort and Suricata.
Is there any open source solution that would allow similar functionality?
Last edited by lapsio (2018-08-09 09:46:57)
Offline
#2 2018-08-09 09:50:58
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,280
Re: Is there any open source SSL decryptor?
https://docs.mitmproxy.org/stable/conce … tificates/
https://wiki.squid-cache.org/ConfigExam … mpExplicit
Personally, I wouldn't trust intercepted SSL if the intercept is not under my control.
Last edited by progandy (2018-08-09 10:01:03)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2018-08-09 10:46:06
- lapsio
- Member
- From: Warsaw
- Registered: 2015-09-30
- Posts: 50
Re: Is there any open source SSL decryptor?
https://docs.mitmproxy.org/stable/conce … tificates/
https://wiki.squid-cache.org/ConfigExam … mpExplicitPersonally, I wouldn't trust intercepted SSL if the intercept is not under my control.
Thanks, I think Squid can't really work as such ssl decrypting "container" with unecrypted in/out links, only decrypt ssl for own usage but I found some articles describing how to achieve what I'm interested in with two mitmproxy instances. Tutorials I saw used NFQ engine which is black magic to me and I think I'd rather prefer to use "standard" afpacket engine and few patchcords to loop traffic between interfaces to be entirely sure that IPS/IDS will be able to block connections.
In order to achieve such setup I can use policy based routing on Linux (ip rule) and point particular interface as default gateway to mitmproxy process/user right?
Last edited by lapsio (2018-08-09 10:46:52)
Offline