Intercept ssl data

[y0d4a]

Hi, there is many info regarding intercepting ssl data.
Some solutions are for bro, some for suricata (some of them are free like sslstrip or viewssld or commercial one like polarproxy) and some solutions do not intercept ssl, instead of that they comparing network package hash or simmiliar with ja3 database...
But i did not find any info from someone experience how this working, special how to setup that.
As i good understand, there is need for instance before SO which will decrypt data and push to SO (no live).

What is latest news regarding this subject?
Is there some experience with free tools to accomplish this or one of clean way is this paid polarproxy?
Of course, i am looking for free solution.

Thank you

[y0d4a]

nothing? none experience ? :)

[OlexTratisky]

Did you find any solution for this? I am interested too

[medtemo]

Hi.
This is commercial NG Firewall examples.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Mirroring-SSL-inspected-traffic/ta-p/189451#:~:text=It%20is%20possible%20to%20'mirror,is%20set%20to%20flow%2Dbased.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/Mirror-and-Decrypt.htm

[InfosecGoon]

Polarproxy is free up to 10GB per day -- I don't know how much traffic you're trying to decrypt, but for a home lab that may be sufficient.

For a commercial solution, you'd probably want something hardware based like a NGFW or a tap infrastructure.

--Matt

[TotieBash]

Some big name commercial web security proxy or reverse proxy servers allows you to send a copy of unencrypted traffic to your tools or SO. I would check what web security proxy you guys use and see if it has the feature. Some NGFW like Palo Alto or Fortigate Firewalls has similar features. In my opinion, this is the most safest approach to accomplish this goal. In which you don't get any blame if something goes south with the SSL decrypt configuration because all you ask is to send a copy of the already unencrypted traffic. As you know, SSL decrypt is really MITM break and inspect of certificates and you don't want to be in that business if you can avoid it.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Mirroring-SSL-inspected-traffic/ta-p/189451