Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS on traffic passing through web proxy
« previous
next »
Print
Pages: [
1
]
Author
Topic: IDS on traffic passing through web proxy (Read 1888 times)
jmange
Newbie
Posts: 2
Karma: 0
IDS on traffic passing through web proxy
«
on:
March 05, 2023, 01:23:37 pm »
Most internet traffic is encrypted these days, so without decryption, a lot is going to slip passed any IDS. I have the web proxy configured on my system, and my assumption was that the Suricata service would take advantage of this and scan the traffic as it was decrypted by the web proxy. This doesn't seem to be the case however. Is there any way to have Squid pass the traffic to Suricata for scanning?
Thanks
Logged
opnsensler
Newbie
Posts: 3
Karma: 0
Re: IDS on traffic passing through web proxy
«
Reply #1 on:
May 08, 2024, 07:38:12 am »
Hi,
we have the same "problem", is there any solution? In my Tests Suricata doesn't scan the Web Proxy Traffic. I tested with the eicar.com test virus.
Greetz
Logged
meyergru
Hero Member
Posts: 1701
Karma: 167
IT Aficionado
Re: IDS on traffic passing through web proxy
«
Reply #2 on:
May 08, 2024, 09:39:14 am »
Before asking to solve that problem, are you aware of how this really works?
Basically, you can do one of two things:
1. You can have a (transparent) proxy which handles two TLS connections as a man-in-the-midlle (MITM). In this case, all traffic is first decrypted, then analysed and - if O.K. - re-encrypted for the target. In order to do that, the proxy will have to present its own (faked) certificate for the target that is being accessed to the clients. In order to to that, you need at least the proxy CA installed on all affected clients. Note that this works only for some clients - you cannot install alternate CAs on most IoT clients, for example. Also, if certificate pinning is used, like with some banks, encryption will break unless you have whitelisted those sites which in turn has those exempt from inspection.
You will also notice a speed penalty for this type of inspection.
2. The only thing you can do without MITM is analyze the initial phase of the HTTPS TLS connection, where the host part of the URL is specified. That is a bit better than to use the IP only, because so it can discriminate between different sites on the same host, thereby enabling blocking based on presumed content type of the specific website (i.e. the connection is dropped directly after a malicious or otherwise unwanted site is detected).
However it cannot look at the content of the pages or downloaded files, i.e. virus-scanning is impossible. Once the encrypted connection is established, this type of "inspection" is essentially blind.
For zenarmor, the first (deep) type of inspection is contained only in the paid version, AFAIK.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
opnsensler
Newbie
Posts: 3
Karma: 0
Re: IDS on traffic passing through web proxy
«
Reply #3 on:
May 08, 2024, 10:11:55 am »
Hi,
thanks for your answer. At the moment, we use your first option. We have a own CA for the MITM Proxy and it works with our clients and our usecase. So that is fine.
But the IDS/IPS doen't work. I don't know what I have to do, that the IDS/IPS scan the decrypted HTTPS traffic.
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: IDS on traffic passing through web proxy
«
Reply #4 on:
May 08, 2024, 10:18:45 am »
That decrypted traffic is nowhere to be seen on any network interface. The internal connection is encrypted as well as the external one. Only the web proxy process itself sees the plain text data.
So there needs to be some plugin/pipe/communication/thing from web proxy to IDS and vice versa.
Best contact the Suricata folks I guess.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
meyergru
Hero Member
Posts: 1701
Karma: 167
IT Aficionado
Re: IDS on traffic passing through web proxy
«
Reply #5 on:
May 08, 2024, 12:32:16 pm »
Suricata itself does not cover antivirus inspection, that is simply not what it does.
Also, if you use Squid for this purpose, you have to configure an ICAP service (
https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html
) to actually inspect the traffic (Squid does not do it by itself, either).
Or you use an integrated solution like Zenarmor, but as I said, for MITM, you have to use the paid version of it.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: IDS on traffic passing through web proxy
«
Reply #6 on:
May 08, 2024, 03:20:26 pm »
And it is still MITM which can be detected on some browsers and fail the connection. We are moving more and more security tasks to the endpoints because of all this stuff.
Logged
Enoch58
Newbie
Posts: 3
Karma: 0
Re: IDS on traffic passing through web proxy
«
Reply #7 on:
May 14, 2024, 11:10:35 am »
Thank you for your response. Currently, we're utilizing the first
greenleafguru
option you provided. We've established our Certificate Authority (CA) for the MITM Proxy, and it's functioning well with our clients and our specific use case, which is satisfactory for us. However, we're encountering an issue with
herbalhighsociety
the Intrusion Detection System (IDS) / Intrusion Prevention System (IPS). We're unsure of the steps needed to enable the IDS/IPS to scan the decrypted HTTPS traffic. Any guidance on this matter would be greatly appreciated.
«
Last Edit: May 21, 2024, 08:33:42 am by Enoch58
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
IDS on traffic passing through web proxy