Suricata and Squid Proxy
-
I've got Suricata and Squid Proxy both running on the pfSense VM. What I am trying to achieve in a virtual environment is decrypt the SSL/TLS traffic and run Suricata IDS/IPS on the decrypted traffic so that I can have Suricata Detection on decrypted SSL/TLS traffic. Is it possible?
-
-
Unfortunately that is not currently possible with the package on pfSense due to the way Suricata plumbs itself into the network stack. Suricata positions its sampling point directly at the output of the NIC hardware driver prior to the packets entering the OS kernel stack.
You could set this up using some custom internal routing of traffic and by manually configuring the Suricata binary to use two hardware NIC endpoints in IPS mode. That cannot be done within the current Suricata GUI package, though. So, to implement what I describe requires installing just the Suricata binary and manually configuring everything at the command line.
You would need two available and free NIC ports to use for the two IPS endpoints. You would also need to get creative with traffic routing to send traffic out of those specific ports for Suricata inspection and then re-route it on to the original destination.
-
@bmeeks Thanks for the reply! Understood!
