Snort3/4 & Suricata - HTTPS/Web Application determination based on TLS 'Hello Packet' inspection without decryption
-
Does anyone know whether Snort or Suricata for pfSense can identify which WebApps via TLS Hello Packet inspection ? The Palo Alto example is pretty straight forward.
Palo Alto:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0Cisco:
https://secure.cisco.com/secure-firewall/docs/application-controlhttps://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/understanding_traffic_decryption.html
Snort:
https://docs.snort.org/rules/options/payload/Suricata:
https://github.com/OISF/suricata/blob/master/src/detect-tls-cert-validity.c
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.