Encrypted traffic inspection

I am trying to decrypt SSL traffic using MITM/Squid proxy and sending it to Suricata (Security Onion), Is this possible? I want to achieve encrypted payload inspection in HTTPS attacks. Ja3 fingerprinting is working fine.

1 Like

I have the same question, is there a possibility to implement a feature in Suricata to inspect SSL / HTTPS traffic?

As I understood, Suricata will not do any TLS inspection (except Ja3 hash). To do this TLS traffic needs to be decrypted first before sending it to Suricata. So I used PolarProxy for TLS decryption and then Suricata was able to perform detection on it.

1 Like

Thanks for you reply, can you please describe more in detail how you do this?

There are two ways of detecting SSL/TLS traffic using Suricata:

  1. Ja3 Hash- Good article is here
  2. Decrypting traffic using proxy- This is what I was talking about - using Polar Proxy. PolarProxy is capable to decrypt and re-encrypt TLS traffic in real time and also it has feature pcapoverip in which you can capture decrypted traffic in Wireshark or re-play it in your network using tcpreplay. This decrypted traffic can be sent to Suricata to apply detection. This article can help you.
1 Like