10-16-2016 11:56 PM
We have a potential customer who would like to analyze email attachments in sandbox. They are using Lotus Notes as their mail application/server. Has anyone tried decrypting Lotus Notes traffic?
Because if this doesn't work the only solution is a client based sandboxing solution.
10-17-2016 08:36 AM
Hi Santonic,
Lotus Notes isn't in the excluded list, it also has sub-apps that are identified if decryption is turned on:
https://applipedia.paloaltonetworks.com/
I haven't tested it myself though.
hope this helps,
Ben
10-17-2016 11:32 PM
Thank you for your answer, it definitelly helps.
But I'm still hoping for some feedback if anyone has actually tried this and what were the results. Because i don't have an evnironment where i could test this.
10-24-2016 01:35 AM
So nobody tried this yet?
08-14-2018 05:54 AM
After almost 2 years this issue came up again. This time I was able to analyze at least client to server traffic recognised as lotus-notes-base by PA. I did a packet capture but i couldn't find any SSL/TLS handshake in the traffic. So it must be some proprietary encryption.
If someone can prove me wrong or find a way around it please let me know.
08-14-2018 09:43 AM
You probably won't get much, to be honest. In my six plus years of supporting these firewalls I can't think of more than only a few people running it in their environment, much less trying to decrypt it. Given that the App-ID exists as was mentioned, it's unlikely that there would be a problem decrypting it.
Is the traffic on port 443? If not, Wireshark won't show you that it's TLS since it only has a simple port-to-service mapping. You'll need to decode it as SSL (right click > "Decode As..." > select "SSL").
08-15-2018 10:35 PM
Ohh, good info, ty! It's on TCP 1352, I'll try again.
08-15-2018 11:45 PM
Yes, it's not a widely used protocol. But we have an opportunity where we need to extract files (and send to WF) from it. And they don't get mails as SMTP anywhere in their network (long story). They are also looking for ways to get just mails out of their Lotus Notes server as SMTP but they are not certain yet if it's possible. And then we will have a problem as PA can't be MTA 🙂
I tried to decode traffic on port 1352 as SSL but it didn't look good. Some packets were marked as SSL in Wireshark, but no packets were recognised as SSL handshake.
08-16-2018 10:52 AM
Wireshark can be a bit picky about how it displays, especially if the Client Hello or Server Hello messages are large. Ensure that you've enabled "Allow subdissector to reassemble TCP streams" in the TCP protocol preferences or it may not be able to combine the packets to give you a single useful frame.
If you do have the TCP handshake, the next frame will likely have ACK and PSH flags set, and that should decode as the Client Hello.
08-17-2018 12:29 AM
"Allow subdissector to reassemble TCP streams" was already on (by default) so that didn't make any change.
Yes, after TCP handhsake there are packets with PSH and ACK, but Wireshark doesn't recognise them as SSL handshake.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
