Network Detection and Response (NDR)
SSL/TLS Plaintext Interception using eBPF
Product Category
Objective
Utilize eBPF probes to intercept SSL/TLS plaintext data, allowing security teams to analyze encrypted traffic without the need for SSL termination.
Details
Functions Hooked: SSL_read_ex, SSL_read, SSL_write_ex, SSL_write from the OpenSSL library.
Data Captured:
- Plaintext data being read or written
- Process ID and command line of the application using SSL/TLS
- Amount of data read or written
- Timestamps of read/write operations
Use Case
This implementation aids in monitoring and inspecting encrypted traffic for potential threats, such as data exfiltration, without decrypting the traffic at the network perimeter, thus maintaining end-to-end encryption while still being able to inspect the traffic for security purposes.