SSL Activity Monitoring

by Ron Gula
June 12, 2011


This dashboard graphs passively monitored SSL traffic occurring on a variety of ports for the past 72 hours.

  • Update: October 2, 2013, SecurityCenter 4.7.0
  • Required Tools - PVS and LCE

As part of the PVS's ability to decode a wide variety of protocols, it performs port independent identification of any SSL network session.

SSL is most commonly used for secure web traffic on TCP port 443. However, SSL is also used by a variety of secure protocols such as secure IMAP, secure POP, a variety of VPNs, chat clients and much more. Botnets and command and control channels also leverage SSL to encrypt their network traffic.

The PVS logs these sessions and the logs are normalized by the Log Correlation Engine as an event type of PVS-SSL_Session_Starting into the "network" LCE family of types. Below is an example screen shot of these events alongside other PVS and Tenable Network Monitor logs:


The LCE's ability to filter events based on direction, port, asset and many other aspect offers many opportunities to graph, alert and trend SSL activity.

In this example dashboard, we've summarized two types of SSL network activity. The trend line graphs SSL activity on port 443 alongside ports other than 443 for the past three days. The table also summarizes all ports that SSL activity has been seen upon.

Tracking SSL activity also means that the LCE will perform anomaly detection, user tracking and logging of this data. If your network does experience a compromise and the attacker does make SSL connections, this type of detail is more useful than simply logging network sessions as provided by the Tenable Network Monitor or via netflow or firewall "accepted connection" logging.