Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata SSL/TLS decryption

    IDS/IPS
    3
    7
    8.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crew
      last edited by

      Hi,

      I would ask you, if it is possible to use for example squid proxy to decrypt SSL/TLS and then analyze decrypted messages with suricata (or another IDS/IPS ) ? For example, with using some opt interface for decrypted messages or use some pcap data (stored all decrypted communication to disk with squid), where suricata will analyse data ? And if it is possible, how to do it ?

      If not, why there isnt plugin in suricata to analyze pcap data ?

      Is it effiecient to use suricata without decrypting SSL traffic ?

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        I can't answer the first question.

        What is the need? pfSense already includes pcap.

        Yes, as I understand it suricata still filters traffic based on the unencrypted headers. Could easily be wrong though. Just my understanding.

        1 Reply Last reply Reply Quote 0
        • C
          crew
          last edited by

          Hi,

          I have just needed to pass unencrypted/decrypted data from SSL (for example: use ssl decryptor, MITM, of the squid, store unencrypted/decrypted data on disk) to suricata, to make Legacy analysis on this decrypted data from SSL/TLS.

          1 Reply Last reply Reply Quote 0
          • P
            pfBasic Banned
            last edited by

            afaik you can't do that.

            It sounds like you need different software entirely, what you are describing is not a router or a firewall. You are describing intercepting, saving and decrypting traffic for later inspection - although I don't know why you would inspect old traffic with an IDS/IPS?. Check with the NSA, they've got it down.

            1 Reply Last reply Reply Quote 0
            • C
              crew
              last edited by

              It was just an example, main idea is to use suricata on decrypted SSL/TLS connections …

              1 Reply Last reply Reply Quote 0
              • C
                crew
                last edited by

                Also, if attack is going through SSL/TLS encryption, IDS can't detect it, because headers are also encrypted, so using IDS is actualy (in my opinion) not very efficient agains HTTPS (ssl/tls), so i'm asking this, because as I know, squid is a capable of performing MITM to decrypt SSL/TLS and then, we can use suricata (or another IDS/IPS) to analyze headers, data etc…., make block if it match any rule, and then, just for an example, pass data back to squid to encrypt... (squid is just for an example, if there exist any another tool, which can accomplish this, I'll be so happy :) )

                1 Reply Last reply Reply Quote 0
                • F
                  fredlubrano
                  last edited by

                  probably this solution https://github.com/sonertari/SSLproxy

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.