Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How does Suricata handle encrypted traffic?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How does Suricata handle encrypted traffic? (Read 11209 times)
Misterbister
Newbie
Posts: 2
Karma: 0
How does Suricata handle encrypted traffic?
«
on:
September 02, 2018, 11:10:03 pm »
Hi!
I have been looking over documentation to try to understand how OPNsense and Suricata handles encrypted traffic. Can the IPS do anyting at all without decrypting it? I cannot find a place where I can add an intercept-ssl certificate in order to decrypt data streams.
Any insight is greatly appreciated.
Can I hope for any kind of protection even if the data streams remain encrypted?
Best regards
Jonas
Logged
shred
Newbie
Posts: 17
Karma: 2
Re: How does Suricata handle encrypted traffic?
«
Reply #1 on:
September 08, 2018, 09:08:22 pm »
My understanding is Suricata (and Snort) can only scan the unencrypted portion (headers) of HTTPS connections but not the actual payload itself. They would need some sort of decryption engine to decrypt the traffic and scan the payload, or perhaps some interface between the web proxy and IDS/IPS since the web proxy has the capability to decrypt HTTPS traffic using a MIM method.
The only protection I’m aware of for decrypted HTTPS traffic is with a virus scanner which OPNsense uses ClamAV.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: How does Suricata handle encrypted traffic?
«
Reply #2 on:
September 08, 2018, 10:41:37 pm »
Only works with Proxy but you need the CA trusted at the client
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
mfpck
Jr. Member
Posts: 50
Karma: 5
Re: How does Suricata handle encrypted traffic?
«
Reply #3 on:
September 13, 2021, 09:00:35 pm »
Any updates on this ?
Logged
Supermule
Full Member
Posts: 235
Karma: 15
Re: How does Suricata handle encrypted traffic?
«
Reply #4 on:
September 13, 2021, 09:03:31 pm »
It cant unless you run it as MITM.
Logged
mfpck
Jr. Member
Posts: 50
Karma: 5
Re: How does Suricata handle encrypted traffic?
«
Reply #5 on:
September 13, 2021, 09:07:36 pm »
What about JA3 and JA3S fingerprinting or does this just came with Sensei ?
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: How does Suricata handle encrypted traffic?
«
Reply #6 on:
September 13, 2021, 09:20:43 pm »
It can work with it, but this is the part which is not yet encrypted.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
mfpck
Jr. Member
Posts: 50
Karma: 5
Re: How does Suricata handle encrypted traffic?
«
Reply #7 on:
September 13, 2021, 09:25:34 pm »
+ Is this is still tha state ?
It's not supported. Suricata uses fingerprinting on encrypted traffic. The packets are not opened, thus MITM is not happening. In order to open encrypted traffic i.e. squid, the software would need a certificate authority and have it installed on the computer accessing it. However, suricata does not have an area to instruct it to utilize a certificate authority.
ref.
https://forum.opnsense.org/index.php?topic=22772.0
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How does Suricata handle encrypted traffic?