Add limited support for SSL monitoring

[sammcj]

/usr/bin/packetbeat[1812]: pgsql.go:275: Postgresql Message too short. 53 (length=1). Wait for more.

Relates to #46 - except I don't want to disable SSL on our database servers!
Is there any way we can still use packetbeat to see flows with PostgreSQL and SSL?

[packetb-old]

At the moment, Packetbeat works exclusively based on network traffic, and it cannot work with encrypted traffic. We understand your concerns and we don't want to suggest disabling SSL, especially if the network between your application and your DB servers is not under your control. We could perhaps get the certificates in order to do on-the-fly decrypting but this would come with it's own security concerns. So I'm afraid that Packetbeat is not the right system for you, at least in the current form.

In the future we might adopt other methods for gathering data, rather than relying exclusively on network traffic.

[sammcj]

As an idea, what about making packetbeat able to do some basic no-data inspection of SSL traffic, you can still see SRC and DST as well as the number of packets being sent & received.

Also, a more descriptive error would be good.

[packetb-old]

@sammcj, you are right, we could add some metadata for SSL packets which is more than nothing. Marked this as an enhancement.

[isopel]

Hi, we've been using packetbeat for capturing web traffic and I have a question probably closely related to this thread, you've mentioned that it's possible "to get SSL certificates in order to do on-the-fly decryption". I want to clarify if this can be supported in packetbeat (I didn't find anything in the docs regarding this so hoping for this to be considered)? It would be great if decryption of SSL-encrypted web traffic is supported assuming I have access to the actual SSL certs and their passwords.

[packetb-old]

@isopel To clarify, Packetbeat doesn't support this at the moment and we currently don't have plans to support this directly in our agent. We are focusing on improving Packetbeat for doing performance monitoring on the application layer, having primarily in mind the case where we sniff after the SSL termination (between the web server and the application server).

What you could try is to use the viewssld project in front of Packetbeat for the on-the-fly decryption. See here an article about how to do this for Snort, but you can just replace Snort with Packetbeat in that setup.

[isopel]

Hi @packetbeat, thanks for the suggestion, I'll have a look at it.

[strootman]

Is this gonna make it into v5.0.0?

[monicasarbu]

@strootman Currently we are targeting it for 5.1.

[monicasarbu]

@strootman Just to clarify here, for 5.1 we are targeting to extract more information from the SSL envelope. We are not planning to do any decryption yet.

[strootman]

@monicasarbu Thank you for the clarification!

[PinXo]

@monicasarbu any advance? has it been replanned/rejected/delayed/forgotten?
At the moment i'm using ssldump to capture https traffic and certificates and it would be a great feature for packetbeat.

[monicasarbu]

@PinXo Packetbeat has already support for flows. Please see more details in our documentation about how to configure it.

[monicasarbu]

Closing this as flows were added in #756

[monicasarbu]

More enhancements for flows can be found here.

[monicasarbu]

Other enhancements related: #3604, #3605