SSL/TLS Plaintext Interception using eBPF

Product Category

Network Detection and Response (NDR)

Objective

Utilize eBPF probes to intercept SSL/TLS plaintext data, allowing security teams to analyze encrypted traffic without the need for SSL termination.

Details

Functions Hooked: SSL_read_ex, SSL_read, SSL_write_ex, SSL_write from the OpenSSL library.

Data Captured:

  • Plaintext data being read or written
  • Process ID and command line of the application using SSL/TLS
  • Amount of data read or written
  • Timestamps of read/write operations
Use Case

This implementation aids in monitoring and inspecting encrypted traffic for potential threats, such as data exfiltration, without decrypting the traffic at the network perimeter, thus maintaining end-to-end encryption while still being able to inspect the traffic for security purposes.