All Apps and Add-ons

Splunk App for Stream: How to configure app to monitor HTTPS over port 443

Explorer

Hello,

I am having issues monitoring wire traffic on port 443 (HTTPS). I am successfully monitoring on port 80 (HTTP), however I am unsure of the additional configurations needed for HTTPS to work properly.

I have installed the Stream app on a deployment server, which has successfully distributed the app to the universal forwarder. The universal forwarder is located on the web server. While parsing the documentation, I'm confused about which configurations to use and where to put them for HTTPS traffic. Has anyone else done this successfully? I haven't been able to find any specific documentation or Splunk answers for this issue. Any advice or direction on which configurations are needed for monitoring HTTPS on port 443 is appreciated.

I've noticed there is no https stream type, is this because it is included in the http one?

I am currently running Splunk 6.4.1 and Stream 6.6.1,Hello,

Thanks for any assistance.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hello,

https traffic is encrypted, so in order to be able to see it you need to provide Stream Forwarder with web server's SSL private key. Here's the doc link on how to do it: http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/EnableSSLforStreamForwarder

There's no https stream type since https is essentially encrypted http.

HTH

View solution in original post

Splunk Employee
Splunk Employee

Hello,

https traffic is encrypted, so in order to be able to see it you need to provide Stream Forwarder with web server's SSL private key. Here's the doc link on how to do it: http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/EnableSSLforStreamForwarder

There's no https stream type since https is essentially encrypted http.

HTH

View solution in original post

Explorer

Thank you for the response. After adding the key to the UF, I am seeing another error on my forwarder. streamfwd.log is outputting this error:

stream.SnifferReactor - SSL decryption error (cipher suite not decryptable) (ssl) [c=24.72.118.249:4158, s=172.29.2.115:443]

The key is in RSA format. I can't seem to find any other additional documentation on this issue.

0 Karma

Splunk Employee
Splunk Employee

"cipher suite not decryptable" error you're now encountering is related to the ephemeral encryption, which means that even if you have the server key, you cannot decrypt the session. Hence, you need to disable the ephemeral cipher suites on the http server in order for Stream (or any other SSL decryption-capable network monitor) to be able to decode your traffic.

This is sort of mentioned in the documentation, but it's definitely not explained sufficiently:

By default, some web servers can
negotiate session ciphers that do not
use RSA private keys. These ephemeral
key exchange protocols (such as
Diffie-Hellman) make it impossible for
any passive observer to decrypt the
traffic, and are therefore not
supported by Stream.

To ensure that Stream can intercept
all of your encrypted traffic, you
might need to disable support for
ephemeral ciphers on your web server.
This does not make your web server
less secure, because the web server
uses equally effective alternative
ciphers for the connection

Main reason the doc doesn't specifically list setup instructions there is because different http servers require different config tweaking in order to disable ephemeral encryption. For example, to configure Apache server you need to set the SSLCipherSuite parameter in httpd.conf to something like SSLCipherSuite kRSA:!SSLv2:!SSLv3:!eNULL:!NULL or a similar cipher list string. See http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html and https://www-origin.openssl.org/docs/manmaster/apps/ciphers.html for more details.

What http server are you using?

0 Karma

Explorer

http server is Apache 2.4.18

0 Karma

Splunk Employee
Splunk Employee

OK, so you should be able to apply the config instructions from my previous response.

Also, you probably want to make sure your web ops/info sec/network security people are cool with this change since different companies have different policies for SSL/TLS settings (for example, allow only strong encryption, etc.)

0 Karma

Explorer

Tested this morning and it was working, thank you for your help!

0 Karma