How does Suricata handle encrypted traffic?

[Misterbister]

Hi!

I have been looking over documentation to try to understand how OPNsense and Suricata handles encrypted traffic. Can the IPS do anyting at all without decrypting it? I cannot find a place where I can add an intercept-ssl certificate in order to decrypt data streams.

Any insight is greatly appreciated.

Can I hope for any kind of protection even if the data streams remain encrypted?

Best regards

Jonas

[shred]

My understanding is Suricata (and Snort) can only scan the unencrypted portion (headers) of HTTPS connections but not the actual payload itself. They would need some sort of decryption engine to decrypt the traffic and scan the payload, or perhaps some interface between the web proxy and IDS/IPS since the web proxy has the capability to decrypt HTTPS traffic using a MIM method.

The only protection I'm aware of for decrypted HTTPS traffic is with a virus scanner which OPNsense uses ClamAV.

[mimugmail]

Only works with Proxy but you need the CA trusted at the client

[mfpck]

Any updates on this ?

[Supermule]

It cant unless you run it as MITM.

[mfpck]

What about JA3 and JA3S fingerprinting or does this just came with Sensei ?

[mimugmail]

It can work with it, but this is the part which is not yet encrypted.

[mfpck]

+ Is this is still tha state ?


It's not supported.  Suricata uses fingerprinting on encrypted traffic.  The packets are not opened, thus MITM is not happening.  In order to open encrypted traffic i.e. squid, the software would need a certificate authority and have it installed on the computer accessing it.  However, suricata does not have an area to instruct it to utilize a certificate authority.

ref.
https://forum.opnsense.org/index.php?topic=22772.0