• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata SSL/TLS decryption

Scheduled Pinned Locked Moved IDS/IPS
7 Posts 3 Posters 8.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    crew
    last edited by Jul 23, 2017, 2:18 PM

    Hi,

    I would ask you, if it is possible to use for example squid proxy to decrypt SSL/TLS and then analyze decrypted messages with suricata (or another IDS/IPS ) ? For example, with using some opt interface for decrypted messages or use some pcap data (stored all decrypted communication to disk with squid), where suricata will analyse data ? And if it is possible, how to do it ?

    If not, why there isnt plugin in suricata to analyze pcap data ?

    Is it effiecient to use suricata without decrypting SSL traffic ?

    1 Reply Last reply Reply Quote 0
    • P
      pfBasic Banned
      last edited by Jul 24, 2017, 4:50 PM

      I can't answer the first question.

      What is the need? pfSense already includes pcap.

      Yes, as I understand it suricata still filters traffic based on the unencrypted headers. Could easily be wrong though. Just my understanding.

      1 Reply Last reply Reply Quote 0
      • C
        crew
        last edited by Jul 25, 2017, 7:05 AM

        Hi,

        I have just needed to pass unencrypted/decrypted data from SSL (for example: use ssl decryptor, MITM, of the squid, store unencrypted/decrypted data on disk) to suricata, to make Legacy analysis on this decrypted data from SSL/TLS.

        1 Reply Last reply Reply Quote 0
        • P
          pfBasic Banned
          last edited by Jul 25, 2017, 7:17 AM

          afaik you can't do that.

          It sounds like you need different software entirely, what you are describing is not a router or a firewall. You are describing intercepting, saving and decrypting traffic for later inspection - although I don't know why you would inspect old traffic with an IDS/IPS?. Check with the NSA, they've got it down.

          1 Reply Last reply Reply Quote 0
          • C
            crew
            last edited by Jul 25, 2017, 7:20 AM

            It was just an example, main idea is to use suricata on decrypted SSL/TLS connections …

            1 Reply Last reply Reply Quote 0
            • C
              crew
              last edited by Jul 25, 2017, 5:20 PM

              Also, if attack is going through SSL/TLS encryption, IDS can't detect it, because headers are also encrypted, so using IDS is actualy (in my opinion) not very efficient agains HTTPS (ssl/tls), so i'm asking this, because as I know, squid is a capable of performing MITM to decrypt SSL/TLS and then, we can use suricata (or another IDS/IPS) to analyze headers, data etc…., make block if it match any rule, and then, just for an example, pass data back to squid to encrypt... (squid is just for an example, if there exist any another tool, which can accomplish this, I'll be so happy :) )

              1 Reply Last reply Reply Quote 0
              • F
                fredlubrano
                last edited by Sep 25, 2019, 9:47 AM

                probably this solution https://github.com/sonertari/SSLproxy

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received