Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Checking HTTPS traffic

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Le_Bleu
      last edited by

      Hi,

      Playing with Snort and Suricata since few week and really like those tools.
      Currently using Suricata inline mode on Pfsense 2.4.5-rc.

      I'm checking alert daily and found some attacks on HTTP 80 port (screenshot bellow), well blocked by suricata.
      I suppose that attempt listed bellow is also made on 443 but not filtered by suricata because HTTP header can't be read.
      I wonder if there is any way to protect HTTPS 443 port and traffic ?
      Maybe with some additional tools install on Pfsense or in another server.

      dc150c45-1028-4b0d-962f-b230c580801e-image.png

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by NogBadTheBad

        @Le_Bleu said in Checking HTTPS traffic:

        I'm checking alert daily and found some attacks on HTTP 80 port (screenshot bellow), well blocked by suricata.
        I suppose that attempt listed bellow is also made on 443 but not filtered by suricata because HTTP header can't be read.
        I wonder if there is any way to protect HTTPS 443 port and traffic ?
        Maybe with some additional tools install on Pfsense or in another server.

        They'll be blocked by the default firewall rules unless you port forward port 80 & 443.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • L
          Le_Bleu
          last edited by

          Port 80 and 443 are forwarded to my web server.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            HTTPS is encrypted traffic. That can't be inspected as it passes the firewall unless the firewall is configured using some third-party tool to become a MITM (man-in-the-middle) point where the encryption chain from your client is terminated and a new stream established from the firewall on behalf of your client. That rarely works without issues, though, as it obviously breaks the chain of trust that is the supposed bedrock of SSL (HTTPS).

            No IDS/IPS tool can peer into the content of encrypted traffic. The traffic the IDS/IPS sees must be in plaintext in order for content payloads to be inspected. IDS/IPS tools can examine certain parts of the headers for issues, but in most cases the "bad stuff" with malware is carried in the payload. And if the payload is encrypted, then your IDS/IPS can't examine it.

            As more and more traffic becomes encrypted from endpoint to endpoint, the traditional security tools such as Snort and Suricata and similar ones are becoming less useful.

            1 Reply Last reply Reply Quote 3
            • L
              Le_Bleu
              last edited by

              That's confirm my though. Not good news but still better than no IPS at all for the moment.

              About my webserver, maybe I can set reverse proxy with SSL certificate on pfsense then forward to my webserver encrypted HTTP. So every request can be inspected by IPS.

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by Gertjan

                That's were the IDS might come in handy.
                But ..... for security reasons you would NOT run it on a firewall / router.
                This one acts only asthe traffic cop.
                Place your reverse proxy just before your web server on a dedicated, isolated LAN. The reverse proxy will terminate the SSL traffic", exposing itself to the world as the "web server", it will unwrap the SSL traffic, inspecting (like border control) the content and passing on the traffic, it could even stay ordinary http because the ext hop = one cable away, will be the web server.

                IDS was nice add on ones, but then that new kid come on the block : TLS ....

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 2
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.