Suricata hash matching Please Help
-
Hiya Meeks… I got all the suricata file matching stuff working ...thanks for your help
I identify binary files and block them via an empty hash whitelist. Which basically turns the box into a carbon black operating at the gateway level. Works like a charm. (as long as you got pass rules for microsloth and places you wanna get exes from)
It all works like a charm UNTIL.....
you go to download an executable from an HTTPS enabled site.
So out of desperation I'm going to ask a stupid question
Is there a way to intercept these files while passing through an HTTPS session? I've got MITM fully working but I'm guessing that suricata operates at the NIC card and Squid decrypts the packet way higher up the stack...
I really really really don't wanna have to do virus checking via ClamAv
By the way, I've got this whole setup running on a KVM hypervisor so I can get very creative If I need to
thanks
Suricata and Snort both work at the NIC card level (more or less). When looking at the flow from the point of view of inbound traffic from the Internet, Suricata or Snort is the first thing the packet sees after leaving the NIC on the way into pfSense. Any MITM stuff is farther down the line (or higher up in the stack if you want to think from that perspective). So all Suricata is going to see is the raw HTTPS encrypted datastream.
Bill
