I am trying to decrypt SSL traffic using MITM/Squid proxy and sending it to Suricata (Security Onion), Is this possible? I want to achieve encrypted payload inspection in HTTPS attacks. Ja3 fingerprinting is working fine.
I have the same question, is there a possibility to implement a feature in Suricata to inspect SSL / HTTPS traffic?
As I understood, Suricata will not do any TLS inspection (except Ja3 hash). To do this TLS traffic needs to be decrypted first before sending it to Suricata. So I used PolarProxy for TLS decryption and then Suricata was able to perform detection on it.
Thanks for you reply, can you please describe more in detail how you do this?
There are two ways of detecting SSL/TLS traffic using Suricata:
- Ja3 Hash- Good article is here
- Decrypting traffic using proxy- This is what I was talking about - using Polar Proxy. PolarProxy is capable to decrypt and re-encrypt TLS traffic in real time and also it has feature
pcapoveripin which you can capture decrypted traffic in Wireshark or re-play it in your network using tcpreplay. This decrypted traffic can be sent to Suricata to apply detection. This article can help you.