Drop encrypted payload from captured packets

[zrav]

I'm currently considering deploying SO on a small network where most of the traffic is encrypted with PFS, so it would be pointless to save the payload. Is it possible to selectively drop the payload of HTTPS/SSL/TLS/SSH packets etc. while keeping the rest of the frame (metadata) and thus greatly reduce resource requirements? How would I configure that in stenographer or does that need to happen further down in the pipeline?
Thanks in advance

[EbolaWare]

Hey, I managed to build a BPF just for this. If you give me a few days I can bring it off my airgap for you. It goes in capture's BPF section. Can include that as well.
Edit: my exceptional colleague just reminded me that he pulled it down already. So, stick this in your global pillar:

steno:
  bpf:
    - 'not((((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03)) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] < 0x08)) || (port 1433 and tcp[((tcp[12] & 0xf0) >> 2) + 8] = 0x16))'

So, I can't remember all the sources I used for this... But it does math based on SSL and TLS protocols to see what the version is. It should catch anything using SSL or TLS encryption and drop it from steno.

[EbolaWare]

steno:
  bpf:
    - 'not((((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03)) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] < 0x08)) || (port 1433 and tcp[((tcp[12] & 0xf0) >> 2) + 8] = 0x16))'

[zrav]

Thank you. But won't this drop the whole packet and not just the payload?

[EbolaWare]

Yes it will. But you will still get the metadata and any alerts because it's still going to be parsed by zeek and suricata. I know programs like moloch/arkime do this "natively" , but this was my quick solution

[Jaap79]

Dropping 443 altogether will indeed drop the packet from being captured but still retain the metadata as well. If this rule works (and I'll definately test this soon!) that would be a great help! Thanks!

[craigsmooth]

Hey, I managed to build a BPF just for this. If you give me a few days I can bring it off my airgap for you. It goes in capture's BPF section. Can include that as well. Edit: my exceptional colleague just reminded me that he pulled it down already. So, stick this in your global pillar:

steno:
  bpf:
    - 'not((((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03)) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] < 0x08)) || (port 1433 and tcp[((tcp[12] & 0xf0) >> 2) + 8] = 0x16))'

So, I can't remember all the sources I used for this... But it does math based on SSL and TLS protocols to see what the version is. It should catch anything using SSL or TLS encryption and drop it from steno.

I'm just curious about the success you are having with this filter. In doing a comparison (no filter vs this filter) I still notice a lot of tls continuation data still landing on disk. I'm just wondering if there is a perfect solution since stenographer is not protocol aware?

[dougburks]

@zrav If you haven't already, you might want to review our BPF documentation:
https://docs.securityonion.net/en/2.3/bpf.html