Suricata SSL/TLS decryption
-
Hi,
I would ask you, if it is possible to use for example squid proxy to decrypt SSL/TLS and then analyze decrypted messages with suricata (or another IDS/IPS ) ? For example, with using some opt interface for decrypted messages or use some pcap data (stored all decrypted communication to disk with squid), where suricata will analyse data ? And if it is possible, how to do it ?
If not, why there isnt plugin in suricata to analyze pcap data ?
Is it effiecient to use suricata without decrypting SSL traffic ?
-
I can't answer the first question.
What is the need? pfSense already includes pcap.
Yes, as I understand it suricata still filters traffic based on the unencrypted headers. Could easily be wrong though. Just my understanding.
-
Hi,
I have just needed to pass unencrypted/decrypted data from SSL (for example: use ssl decryptor, MITM, of the squid, store unencrypted/decrypted data on disk) to suricata, to make Legacy analysis on this decrypted data from SSL/TLS.
-
afaik you can't do that.
It sounds like you need different software entirely, what you are describing is not a router or a firewall. You are describing intercepting, saving and decrypting traffic for later inspection - although I don't know why you would inspect old traffic with an IDS/IPS?. Check with the NSA, they've got it down.
-
It was just an example, main idea is to use suricata on decrypted SSL/TLS connections …
-
Also, if attack is going through SSL/TLS encryption, IDS can't detect it, because headers are also encrypted, so using IDS is actualy (in my opinion) not very efficient agains HTTPS (ssl/tls), so i'm asking this, because as I know, squid is a capable of performing MITM to decrypt SSL/TLS and then, we can use suricata (or another IDS/IPS) to analyze headers, data etc…., make block if it match any rule, and then, just for an example, pass data back to squid to encrypt... (squid is just for an example, if there exist any another tool, which can accomplish this, I'll be so happy :) )
-
probably this solution https://github.com/sonertari/SSLproxy