Network Forensics & Security Analytics

Expand all | Collapse all

Extracting decrypted HTTPS sessions

  • 1.  Extracting decrypted HTTPS sessions

    Posted 02-03-2020 11:07 AM

    Hi,
    Anyone know whether SA interprets decrypted HTTPS the same way as plain-text HTTP ? We've got problem with extractions from decrypted HTTPS sessions. SA show particular requests but mostly their responses have a 0 byte size, and we are unable to got any artifacts from that session. Things got a little bit better when we enable Assemble partial content in system settings but still responses are truncated and SA seems to be unable to reassamble that.
    We're running 8.1 SA. Tried it with two sources of decrypted SSL: ProxySG with Encrypted TAP and Checkpoint NGFW. In both cases it was the same.



  • 2.  RE: Extracting decrypted HTTPS sessions

    Broadcom Employee
    Posted 05-21-2020 07:38 PM
    Hi, Rafal.

    Have you been working with support? There are a couple of ways to pass decrypted traffic to Security Analytics, but the one that works best is the Symantec SSL Visibility appliance. It does the best job of passing us decrypted traffic in a way our session state machine can follow.

    If you have a PCAP to share, we can have a look--it's typically best to pass those through support to maintain confidentiality.

    Thanks

    ------------------------------
    Product Management and Development Lead
    Broadcom
    ------------------------------