I am trying to decrypt SSL traffic using MITM/Squid proxy and sending it to Suricata (Security Onion), Is this possible? I want to achieve encrypted payload inspection in HTTPS attacks. Ja3 fingerprinting is working fine.
I have the same question, is there a possibility to implement a feature in Suricata to inspect SSL / HTTPS traffic?
As I understood, Suricata will not do any TLS inspection (except Ja3 hash). To do this TLS traffic needs to be decrypted first before sending it to Suricata. So I used PolarProxy for TLS decryption and then Suricata was able to perform detection on it.
1 Like
Thanks for you reply, can you please describe more in detail how you do this?
There are two ways of detecting SSL/TLS traffic using Suricata:
- Ja3 Hash- Good article is here
- Decrypting traffic using proxy- This is what I was talking about - using Polar Proxy. PolarProxy is capable to decrypt and re-encrypt TLS traffic in real time and also it has feature
pcapoverip
in which you can capture decrypted traffic in Wireshark or re-play it in your network using tcpreplay. This decrypted traffic can be sent to Suricata to apply detection. This article can help you.
1 Like