Network Forensics & Security Analytics

Hi,
Anyone know whether SA interprets decrypted HTTPS the same way as plain-text HTTP ? We've got problem with extractions from decrypted HTTPS sessions. SA show particular requests but mostly their responses have a 0 byte size, and we are unable to got any artifacts from that session. Things got a little bit better when we enable Assemble partial content in system settings but still responses are truncated and SA seems to be unable to reassamble that.
We're running 8.1 SA. Tried it with two sources of decrypted SSL: ProxySG with Encrypted TAP and Checkpoint NGFW. In both cases it was the same.

Hi, Rafal.

Have you been working with support? There are a couple of ways to pass decrypted traffic to Security Analytics, but the one that works best is the Symantec SSL Visibility appliance. It does the best job of passing us decrypted traffic in a way our session state machine can follow.

If you have a PCAP to share, we can have a look--it's typically best to pass those through support to maintain confidentiality.

Thanks

------------------------------
Product Management and Development Lead
Broadcom
------------------------------

Original Message:
Sent: 02-03-2020 11:06 AM
From: Rafal Oracz
Subject: Extracting decrypted HTTPS sessions

Hi,
Anyone know whether SA interprets decrypted HTTPS the same way as plain-text HTTP ? We've got problem with extractions from decrypted HTTPS sessions. SA show particular requests but mostly their responses have a 0 byte size, and we are unable to got any artifacts from that session. Things got a little bit better when we enable Assemble partial content in system settings but still responses are truncated and SA seems to be unable to reassamble that.
We're running 8.1 SA. Tried it with two sources of decrypted SSL: ProxySG with Encrypted TAP and Checkpoint NGFW. In both cases it was the same.