Decrypt https traffic for IDS/IPS via proxy
-
Is it possible to set up a (single) pfsense server so that suricata would receive unencrypted traffic to do its job?
E.g.
Internet (https) - Squid (decrypt, http) - Suricata (analise drop/block/pass) - Squid (encrypt/https) - Client
If yes could you plz share what settings might be for such setup.Many thanks.
-
On a single server, I don't think so. This is because Suricata attaches directly to the physical NIC such that traffic entering the box from the NIC first goes to Suricata before it goes anywhere else.
If you have a box with multiple physical NIC ports, I guess it would be possible to set up a complex set of bridges so that traffic came in one port, went to squid/proxy, was sent out another port that Suricata was listening on, then came back from Suricata into a different physical port to get bridged to the output (or to the firewall). Lots of complexity and plenty of places things could break with a setup like that. There is no way to do this with pfSense and the GUI package, though. This would require you to install and configure the CLI version of Suricata and the other packages.
-
Added to that : for all this to work, you have to install certs on every client device, certs being used so that client device can use and trust pfSense as a proxy, so pfSense can do the real MITM job.
All this, on paper, is pure dynamite. In reality, its far better then that.