Just trying to understand this a little better. Which of the rulesets require ssl mitm decryption? I've noticed some of the rulesets are essentially IP based block lists, but others I'm guessing must require ssl mitm DPI to function?
Short Answer, none. Suricata uses the netmap which is at the driver level.
if you can be bothered, the long answer would be appreciated; or at least directions to some relevant reading.
I get that netmap offloads processing on to the nic's themselves, but an encrypted flow is still an encrypted flow?
Clearly I don't understand this.
It's not supported. Suricata uses fingerprinting on encrypted traffic. The packets are not opened, thus MITM is not happening. In order to open encrypted traffic i.e. squid, the software would need a certificate authority and have it installed on the computer accessing it. However, suricata does not have an area to instruct it to utilize a certificate authority.
https://suricata.readthedocs.io/en/suricata-5.0.6/rules/tls-keywords.html
https://suricata.readthedocs.io/en/suricata-5.0.6/file-extraction/file-extraction.html
Is this still the case?
Even if I configure the transparent proxy
https://docs.opnsense.org/manual/how-tos/proxytransparent.html
Suricata won't see the traffic unencrypted despite the ssl offloading is happening in opnsense?
This is a huge security issue...