[SOLVED]SSL certificat and suricata rules

Started by bmail, May 22, 2018, 01:29:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 22, 2018, 01:29:59 PM Last Edit: May 22, 2018, 07:12:52 PM by bmail
Hello,

I think I need help to understand how Opnsense is processing...

I use squid with https inspection. So I created an self signed authority inside Opnsense (called internal-ca).
When a user visits an https web page, every site show a certificat provided by my organisation, with, of course, a unique SHA1 fingerprint. I think this is normal. But ...
I try to block some site using "user defined rules" with Suricata. I give the fingerprint of the website I want to block, but no success ... the website isn't block by suricata.

Suricata works on wan interface only. If it works on wan + lan interface, no more access to Opnsense GUI caused by a rule:

   SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt
Alert sid   31484

Is there a way to use drop action based on ssl fingerprint if we want to use ssl inspection with Squid ?

Thank a lot for any advice.
Bertrand
May 22, 2018, 07:12:16 PM #1
Found !

Ok, how can I be so stupid ?
Just adding the web site in the "SSL no bump sites", so the real certificat is transmitted and can be drop by suricata.

Print
Go Up Pages1
User actions