NetWitness Community

RSAAdmin · ‎2014-10-22

Hello! I am struggling with SSL investigation in SA and NW Investigator client.

I have a public/private key pair from web server and a pcap which contains https traffic. I can decrypt the ssl encrypted payload in Wireshark without any problems with my rsa private key.

There is no option to decrypt SSL with private key in SA web GUI. But there is an NW Investigator which can connect to SA or process pcap. There is an option in the Investigator client to automatically decrypt ssl with rsa key. But after providing the same pcap and key it just displays the same encrypted payload - it doesn't decrypt it (I also can't get it to work remotely with my SA 10.3 hybrid but that's another story).

How do you inspect your ssl traffic with SA? Please do not propose Bluecoat, A10, Netronome and other $$$ solutions

I believe that ssl inspection is quite a relevant topic as most of the malware is using ssl.

PS. I can provide the pcap and keypair or screens if anyone is interested.

RSAAdmin · ‎2014-10-23

Traditionally the RSA suggested solution is a rebranded RSA Netronome before the packet decoder.

RSAAdmin · ‎2014-10-24

Thanks for the point, but we don't have it available for PoC in our country.

We are trying to process small amount of sessions via free/open source tools for our PoC. There is no problem to replace certificate, encrypt/decrypt any ssl session (skype, gmail, whatever). The problem is how to make SA to analyze these sessions. NW Investigator has such possibilities but we can't get it to work.

RSAAdmin · ‎2014-10-24

Ah, you are outside the US.

The key piece for how SA ingests data is all network traffic has to be decrypted before the SA packet decoder processes the session. I don't know of a method on the SA packet decoder to decrypt with known certificates.

In your case the packet data is already in SA encrypted.

I suppose you could extract the pcap, decrypt, and then re-process via the network decoder.

I have no idea how to do that (would have to look that up), much less how you could automate it to not be so manually intensive.

I'd almost wonder if there is way to build your own simple pass-though server that could real-time decrypt packets with your known keys before getting to the packet decoder. I'd start there, trying to decrypt with some kind of product in-line before the packet decoder.

RSAAdmin · ‎2014-10-28

Yes, I'm in Ukraine.

And I finally did it. NW Investigator can connect to SA hybrid and pull traffic remotely (port 50005 and you need Investigator 9.8 and a license for remote connection).

And it also can decrypt SSL. SCOL KB 000026270 "How to decrypt SSL or TLS sessions with RSA NetWitness Investigator" helped me with that. There are some restrictions - the KB is attached.

So you can collect packets as usual then connect to your decoder with NW Investigator to inspect SSL. But it is quite slow and far from comfortable. Now we are working on some virtual or open source solution that is similar to what you've described. The main point is to replace certificate with your own with known private key and to forward unencrypted packets to decoder and at the same time connection between client and external resource stays encrypted.

RSAAdmin · ‎2014-12-08

In this SSL investigation we ended up with testing multiple solutions. We tested A10, Sonicwall, Palo Alto - all in ssl decryption focus. They are all very different but basically all of them did what we needed - mirror decrypted SSL to SA decoder, and decoder saw http instead of ssl. I think that any device which supports decrypted mirror feature will integrate normally with SA. We are looking forward to check out Bluecoat and F5 in this matter and to find a virtual solution which is capable of SSL decryption, as many vendors lock ssl decryption feature to hardware-only due to usage of special SSL chips (like Nitrox).