I would like to check if Suricata is able to analyze SSL communication

Yet_learningPFSense

@bmeeks Thank you, I was kinda hoping that Suricata was able to parse all of the SSL traffic, but Suricata is limited to this for now, so I'll give up and continue to operate as is. I guess it is difficult to analyze SSL communication without purchasing a UTM .

bmeeks

@yet_learningpfsense said in I would like to check if Suricata is able to analyze SSL communication:

I was kinda hoping that Suricata was able to parse all of the SSL traffic

That is not possible unless the traffic is sent "in the clear" over to Suricata. And the only way to do that is to use MITM (man-in-the-middle) technology. Unfortunately, there is no ready-made application for that with all the correct network traffic plumbing available on pfSense.

It can be done, but only with very customized network routing that makes use of multiple physical NIC interfaces to "loop" traffic out and back in.

MITM is very labor intensive to set up, and it only works with managed devices that willingly accept and trust the necessary intermediate certificates. That's not going to happen with BYOD (bring your own device) environments unless the user explicitly agrees to install and trust your intermediate certificate.

I don't know your skill level with IDS/IPS, but a lot of new users have a very rudimentary (and usually incorrect) understanding of how today's encrypted network traffic works. You can't just capture and inspect a TLS or SSL or SSH encrypted stream. You must have the decryption key in order to decrypt and view the payload content. And the two parties in the communication (client and server) validate each other using certificates and set up the encryption key based on those certificates. That's why MITM requires the client to accept and trust the intermediate certificate of the MITM server as that server stands in for the real intended destination host.

Yet_learningPFSense

@bmeeks When I was first looking up information on MITM + Suricata, I knew that I would need two NICs (plus the skills to make the difficult connections), but it doesn't seem possible with my skills I was wondering if it might be possible with just one NIC....

I would like to continue learning PFSense. Thank you very much!

bmeeks

@yet_learningpfsense said in I would like to check if Suricata is able to analyze SSL communication:

@bmeeks When I was first looking up information on MITM + Suricata, I knew that I would need two NICs (plus the skills to make the difficult connections), but it doesn't seem possible with my skills I was wondering if it might be possible with just one NIC....

I would like to continue learning PFSense. Thank you very much!

No, a MITM setup on pfSense is not possible with a single NIC.

However, you might could emulate something like this: https://www.netresec.com/?page=Blog&month=2020-01&post=Sniffing-Decrypted-TLS-Traffic-with-Security-Onion. I've never tried it, but it might be an interesting exercise.

Note that all the info in that link is for Linux and Security Onion and not FreeBSD and pfSense. So, you cannot directly follow the instructions there, but you might could emulate the process using tools available in FreeBSD.

Yet_learningPFSense

@bmeeks Thank you very much, I'll try to read through it. I'll read through the whole thing while translating for now, I think I read something about PolarProxy.

Gertjan

@yet_learningpfsense said in I would like to check if Suricata is able to analyze SSL communication:

I was kinda hoping that Suricata was able to parse all of the SSL traffic

Without proxy settings on every device from which you want to analyse traffic, this is not possible.

And it even gets better : Your question is wrong.
You really don't want it to be possible.
Not even the 'just for me' and nobody else.

If you, me or anybody on planet earth could 'break' (doing MITM) with TLS (SSL) the entire Internet will fall ... creating a huge insecure network.
World economy will fall ...
In a month or so you'll be seeing a "Walking dead" scenario out there, with the zombies.

This isn't a pfSense issues.
It isn't a 'get this software an now you can see every-bodies bank account web access etc' issue.
Most router firewall out there don't even bother talking about it, as they do not offer 'virus scanners' or pure 100 % Ethernet packet payload scanning.

But, yes, it can be done. Yu'll need to set up 'proxy' settings on every device on your network.
There will still be many, like a lot, exceptions, and you have to find them all one by one.
For example, sites that use HSTS can not be fouled with a proxy.
All the big players use HSTS, even I, with my own small company site uses it.

MITM is bad.
There will be no exceptions.

Btw : if you find a way to do it, you will be, for a shot time, world's richest person.
All 3 letter agencies will offer you a job you can't refuse.
( or they might actually remove your from the surface of earth .... as you actually killed the world's economy )

I know, I'm going a bit strong here.
What about getting a serious collection of youtube video's that explain the situation ?
You will understand what 'https' really means.

Yet_learningPFSense

@gertjan Thank you. One thing I would like to do is to use Squid's MITM feature and Suricata to analyze the SSL communication of my own device for the purpose of preventing cybercrime. I know that attackers send information to the outside world in encrypted packets, such as HTTPS communications, after a break-in, so I was wondering if I could analyze those packets and block them with Suricata.

I was looking for a way to analyze the packets and block them with Suricata, but Fortigate and Palo Alto products are expensive, so I was looking for a way to do it with PFSense. I have no intention of using it for criminal purposes. But I apologize for any misunderstanding my comment may have caused.

I am not very familiar with internet security, and I was asking questions to ChatGPT, so I was not sure if MITM (which I knew was a technology used for criminal purposes, but if I could use it to have Suricata analyze it, would that be ok? I was wondering if it would be good if it was for security purposes as well), so I was setting it up.

I'll try to gather some more details about SSL communication and how it works and how secure it is on Youtube, etc. Thanks for pointing this out to me.

Translated with www.DeepL.com/Translator (free version)

bmeeks

@Yet_learningPFSense
SSL and other forms of Internet encryption today are very secure. One of the ways this is accomplished is by the use of certificates issued by a trusted public third-party certificate authority. This is called the CA (Certificate Authority). There are a handful of internationally trusted CAs. Every website and entity around the world that wishes to use SSL applies for and obtains a certificate from a CA and registers their website by domain name (and sometimes by IP as well) with that CA.

Here is a great read about CAs from Wikipedia: https://en.wikipedia.org/wiki/Certificate_authority. This article also has a simplified explanation near the bottom of the page showing how the encryption process works. Once you read and understand what this article discusses, you will have a clearer understanding of the answers provided in this post. And you will see why MITM is difficult to set up and maintain.

And by the way, MITM is not necessarily only a "bad guys" thing. There are legitimate uses for MITM when network security is paramount. But it is difficult to configure and maintain. And as others have said in this thread, some applications refuse to work with MITM.

Yet_learningPFSense

@bmeeks Thank you very much, I will study the wiki, Youtube, etc., along with the content of Gertjan's reply. I have learned that it is safer to know more technical details.

Gertjan

@bmeeks said in I would like to check if Suricata is able to analyze SSL communication:

Here is a great read about CAs from Wikipedia: https://en.wikipedia.org/wiki/Certificate_authority.

Yeah : great
When I post this message on this "forum.netgate.com", I use most of all that stuff without needing to know whats going on.

I'm pretty sure that the reader of that wiki page must have to have some knowledge about the subject. If not, he'll be lost after the very first two phrases.