IDS News

<< Next Post -

Security Onion and seeing through HTTPS

Security Onion is an Open Source Linux distribution that makes deploying an IDS/NSM a very easy task indeed and I highly recommend you try it at home. Especially since you can do everything in a VM…

The video below gives a great summary of what this is all about (it is an hour long, but like any good movie you won’t see the time fly ;)


If you have ever been through a Snorby installation yourself, you will appreciate this distribution even more as everything is done for you. The installation process only asks a couple of questions and you should be ready to monitor your network, analyse data through full packet capture within 15 minutes!

The latest beta is even better, and lets you use your own Ubuntu flavoured distribution if you prefer not to use the default one provided. It runs on Ubuntu 12.04 and comes with Snort, Suricata, Bro, Elsa, Sguil and more.
The author and presenter in the above video, Doug Burks, also answers an interesting question near the end of the video about HTTPS traffic and how it could be handled as part of an IDS solution. Specifically, he gives the following advice: to use viewssld or bro.

Viewssld, is a tool that can intercept and decrypt HTTPS traffic, but only to sites you own as explain HERE, because you need the private RSA key of the traffic you want to intercept and analyse.

Being able to see https traffic to sites you own is good, but really, what you need is to see all Https traffic. Especially since that traffic could be from a malware calling home or a mean to bypass corporate web filtering solutions.
There are other (expensive) interception proxy solutions available, which can intercept all https traffic, but I always though that by basically implementing a Man in the Middle HTTPS proxy it would mean users get certificate validation warnings every time they try to access something like https://www.example.com and get instead a certificate back from https://my_interception_proxy.com.

Having said that, there is a great paper that was published by Dell back in March during Blackhat 2012. It describes how the use of a public root SubCA (if you can get one!) in Interception proxies can help make this process less visible/disruptive to the user. They also describe the use of Transitive root trust to achieve a similar goal.

But back to Doug Burks/Security Onion’s video, where he also mentions the use of Bro and leveraging its network anomaly monitoring capability. I see that as a quick win and one that is easy to implement for free!
The idea is that malware or hackers are more likely to use self issued certificates and by analysing anomalies in https traffic through bro, you should be able to identify https traffic which do not follow certificates standards and are not fully trusted. Therefore, even if you still can’t see what is being transmitted you would at least get some indication something is wrong and where to look further (i.e.: IP source, further pattern analysis, etc).

My hat off to Doug Burks and all the other Security Onion contributors!
PS: For more info on SSL and how it really works, there is also a great READ HERE.

<< Next Post -