Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata ET Open & Pro SSL mitm
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata ET Open & Pro SSL mitm (Read 5152 times)
dave
Jr. Member
Posts: 74
Karma: 5
Suricata ET Open & Pro SSL mitm
«
on:
April 23, 2021, 07:44:18 am »
Just trying to understand this a little better. Which of the rulesets require ssl mitm decryption? I've noticed some of the rulesets are essentially IP based block lists, but others I'm guessing must require ssl mitm DPI to function?
Logged
errored out
Full Member
Posts: 171
Karma: 3
Re: Suricata ET Open & Pro SSL mitm
«
Reply #1 on:
April 30, 2021, 05:47:32 am »
Short Answer, none. Suricata uses the netmap which is at the driver level.
Logged
dave
Jr. Member
Posts: 74
Karma: 5
Re: Suricata ET Open & Pro SSL mitm
«
Reply #2 on:
May 01, 2021, 04:14:07 am »
if you can be bothered, the long answer would be appreciated; or at least directions to some relevant reading.
I get that netmap offloads processing on to the nic's themselves, but an encrypted flow is still an encrypted flow?
Clearly I don't understand this.
Logged
errored out
Full Member
Posts: 171
Karma: 3
Re: Suricata ET Open & Pro SSL mitm
«
Reply #3 on:
May 15, 2021, 09:08:43 am »
It's not supported. Suricata uses fingerprinting on encrypted traffic. The packets are not opened, thus MITM is not happening. In order to open encrypted traffic i.e. squid, the software would need a certificate authority and have it installed on the computer accessing it. However, suricata does not have an area to instruct it to utilize a certificate authority.
https://suricata.readthedocs.io/en/suricata-5.0.6/rules/tls-keywords.html
https://suricata.readthedocs.io/en/suricata-5.0.6/file-extraction/file-extraction.html
Logged
l0rdraiden
Jr. Member
Posts: 59
Karma: 4
Re: Suricata ET Open & Pro SSL mitm
«
Reply #4 on:
September 14, 2023, 09:36:58 am »
Is this still the case?
Even if I configure the transparent proxy
https://docs.opnsense.org/manual/how-tos/proxytransparent.html
Suricata won't see the traffic unencrypted despite the ssl offloading is happening in opnsense?
This is a huge security issue...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata ET Open & Pro SSL mitm