Why would I use a Web-Proxy for security purposes?

[adn77]

I am contemplating the use of TLS inspection in Squid.

If inspection is limited to SNI inspection I might be able to block the request based on SNI, but I could have done that using DNSBL much easier.

What are the capabilities of full TLS inspection in terms of applying Surricata rules?
From what I understand, Surricata is implemented a few layers below (network).

Alex

[fabian]

Suricata cannot filter TLS protected content. It can just stop the entire connection based on the plaintext part of the TLS connection.

[adn77]

But Suricata would "see" the connection setup regardless of the proxy, right?

And thanks for the reply!
And sorry, I just noticed that I should've posted in a different topic.

[fabian]

But Suricata would "see" the connection setup regardless of the proxy, right?

Yes, and exactly that. Such IDPS become more and more useless as more and more traffic gets encrypted.

[adn77]

Yes, and exactly that. Such IDPS become more and more useless as more and more traffic gets encrypted.

That's actually why I am asking. Does Suricata benefit from breaking TLS with the use of a proxy?

[fabian]

That's actually why I am asking. Does Suricata benefit from breaking TLS with the use of a proxy?

No, suricata does not see what is going on inside squid (proxy). It may see the plaintext if ICAP is in use (protocol to communicate between the proxy and for example an AV engine) but that's a different story.