OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Misterbister on September 02, 2018, 11:10:03 pm

Title: How does Suricata handle encrypted traffic?
Post by: Misterbister on September 02, 2018, 11:10:03 pm
Hi!

I have been looking over documentation to try to understand how OPNsense and Suricata handles encrypted traffic. Can the IPS do anyting at all without decrypting it? I cannot find a place where I can add an intercept-ssl certificate in order to decrypt data streams.

Any insight is greatly appreciated.

Can I hope for any kind of protection even if the data streams remain encrypted?

Best regards

Jonas
Title: Re: How does Suricata handle encrypted traffic?
Post by: shred on September 08, 2018, 09:08:22 pm
My understanding is Suricata (and Snort) can only scan the unencrypted portion (headers) of HTTPS connections but not the actual payload itself. They would need some sort of decryption engine to decrypt the traffic and scan the payload, or perhaps some interface between the web proxy and IDS/IPS since the web proxy has the capability to decrypt HTTPS traffic using a MIM method.

The only protection I’m aware of for decrypted HTTPS traffic is with a virus scanner which OPNsense uses ClamAV.
Title: Re: How does Suricata handle encrypted traffic?
Post by: mimugmail on September 08, 2018, 10:41:37 pm
Only works with Proxy but you need the CA trusted at the client