IDS on traffic passing through web proxy

Started by jmange, March 05, 2023, 01:23:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 05, 2023, 01:23:37 PM
Most internet traffic is encrypted these days, so without decryption, a lot is going to slip passed any IDS.  I have the web proxy configured on my system, and my assumption was that the Suricata service would take advantage of this and scan the traffic as it was decrypted by the web proxy.  This doesn't seem to be the case however.  Is there any way to have Squid pass the traffic to Suricata for scanning?

Thanks
May 08, 2024, 07:38:12 AM #1
Hi,

we have the same "problem", is there any solution? In my Tests Suricata doesn't scan the Web Proxy Traffic. I tested with the eicar.com test virus.

Greetz
May 08, 2024, 09:39:14 AM #2
Before asking to solve that problem, are you aware of how this really works?

Basically, you can do one of two things:

1. You can have a (transparent) proxy which handles two TLS connections as a man-in-the-midlle (MITM). In this case, all traffic is first decrypted, then analysed and - if O.K. - re-encrypted for the target. In order to do that, the proxy will have to present its own (faked) certificate for the target that is being accessed to the clients. In order to to that, you need at least the proxy CA installed on all affected clients. Note that this works only for some clients - you cannot install alternate CAs on most IoT clients, for example. Also, if certificate pinning is used, like with some banks, encryption will break unless you have whitelisted those sites which in turn has those exempt from inspection.

You will also notice a speed penalty for this type of inspection.

2. The only thing you can do without MITM is analyze the initial phase of the HTTPS TLS connection, where the host part of the URL is specified. That is a bit better than to use the IP only, because so it can discriminate between different sites on the same host, thereby enabling blocking based on presumed content type of the specific website (i.e. the connection is dropped directly after a malicious or otherwise unwanted site is detected).

However it cannot look at the content of the pages or downloaded files, i.e. virus-scanning is impossible. Once the encrypted connection is established, this type of "inspection" is essentially blind.


For zenarmor, the first (deep) type of inspection is contained only in the paid version, AFAIK.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
May 08, 2024, 10:11:55 AM #3
Hi,

thanks for your answer. At the moment, we use your first option. We have a own CA for the MITM Proxy and it works with our clients and our usecase. So that is fine.
But the IDS/IPS doen't work. I don't know what I have to do, that the IDS/IPS scan the decrypted HTTPS traffic.
May 08, 2024, 10:18:45 AM #4
That decrypted traffic is nowhere to be seen on any network interface. The internal connection is encrypted as well as the external one. Only the web proxy process itself sees the plain text data.

So there needs to be some plugin/pipe/communication/thing from web proxy to IDS and vice versa.

Best contact the Suricata folks I guess.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 08, 2024, 12:32:16 PM #5
Suricata itself does not cover antivirus inspection, that is simply not what it does.

Also, if you use Squid for this purpose, you have to configure an ICAP service (https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html) to actually inspect the traffic (Squid does not do it by itself, either).

Or you use an integrated solution like Zenarmor, but as I said, for MITM, you have to use the paid version of it.

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
May 08, 2024, 03:20:26 PM #6
And it is still MITM which can be detected on some browsers and fail the connection. We are moving more and more security tasks to the endpoints because of all this stuff.
May 14, 2024, 11:10:35 AM #7 Last Edit: May 21, 2024, 08:33:42 AM by Enoch58
Thank you for your response. Currently, we're utilizing the first greenleafguru option you provided. We've established our Certificate Authority (CA) for the MITM Proxy, and it's functioning well with our clients and our specific use case, which is satisfactory for us. However, we're encountering an issue with herbalhighsociety the Intrusion Detection System (IDS) / Intrusion Prevention System (IPS). We're unsure of the steps needed to enable the IDS/IPS to scan the decrypted HTTPS traffic. Any guidance on this matter would be greatly appreciated.
Print
Go Up Pages1
User actions