English Forums > Intrusion Detection and Prevention

How does Suricata handle encrypted traffic?

(1/2) > >>

Misterbister:
Hi!

I have been looking over documentation to try to understand how OPNsense and Suricata handles encrypted traffic. Can the IPS do anyting at all without decrypting it? I cannot find a place where I can add an intercept-ssl certificate in order to decrypt data streams.

Any insight is greatly appreciated.

Can I hope for any kind of protection even if the data streams remain encrypted?

Best regards

Jonas

shred:
My understanding is Suricata (and Snort) can only scan the unencrypted portion (headers) of HTTPS connections but not the actual payload itself. They would need some sort of decryption engine to decrypt the traffic and scan the payload, or perhaps some interface between the web proxy and IDS/IPS since the web proxy has the capability to decrypt HTTPS traffic using a MIM method.

The only protection I’m aware of for decrypted HTTPS traffic is with a virus scanner which OPNsense uses ClamAV.

mimugmail:
Only works with Proxy but you need the CA trusted at the client

mfpck:
Any updates on this ?

Supermule:
It cant unless you run it as MITM.

Navigation

[0] Message Index

[#] Next page