Author Topic: Suricata ET Open & Pro SSL mitm (Read 5153 times)

dave · « **on:** April 23, 2021, 07:44:18 am »

Just trying to understand this a little better. Which of the rulesets require ssl mitm decryption? I've noticed some of the rulesets are essentially IP based block lists, but others I'm guessing must require ssl mitm DPI to function?

errored out · « **Reply #1 on:** April 30, 2021, 05:47:32 am »

Short Answer, none. Suricata uses the netmap which is at the driver level.

dave · « **Reply #2 on:** May 01, 2021, 04:14:07 am »

if you can be bothered, the long answer would be appreciated; or at least directions to some relevant reading.
I get that netmap offloads processing on to the nic's themselves, but an encrypted flow is still an encrypted flow?
Clearly I don't understand this.

errored out · « **Reply #3 on:** May 15, 2021, 09:08:43 am »

It's not supported. Suricata uses fingerprinting on encrypted traffic. The packets are not opened, thus MITM is not happening. In order to open encrypted traffic i.e. squid, the software would need a certificate authority and have it installed on the computer accessing it. However, suricata does not have an area to instruct it to utilize a certificate authority.

https://suricata.readthedocs.io/en/suricata-5.0.6/rules/tls-keywords.html
https://suricata.readthedocs.io/en/suricata-5.0.6/file-extraction/file-extraction.html

l0rdraiden · « **Reply #4 on:** September 14, 2023, 09:36:58 am »

Is this still the case?
Even if I configure the transparent proxy
https://docs.opnsense.org/manual/how-tos/proxytransparent.html

Suricata won't see the traffic unencrypted despite the ssl offloading is happening in opnsense?

This is a huge security issue...

Author Topic: Suricata ET Open & Pro SSL mitm (Read 5153 times)

dave

Suricata ET Open & Pro SSL mitm

errored out

Re: Suricata ET Open & Pro SSL mitm

dave

Re: Suricata ET Open & Pro SSL mitm

errored out

Re: Suricata ET Open & Pro SSL mitm

l0rdraiden

Re: Suricata ET Open & Pro SSL mitm