Encrypted traffic inspection

Daryald · June 1, 2022, 4:37am

I am trying to decrypt SSL traffic using MITM/Squid proxy and sending it to Suricata (Security Onion), Is this possible? I want to achieve encrypted payload inspection in HTTPS attacks. Ja3 fingerprinting is working fine.

twojake · June 16, 2022, 6:10pm

I have the same question, is there a possibility to implement a feature in Suricata to inspect SSL / HTTPS traffic?

Daryald · June 17, 2022, 3:17am

As I understood, Suricata will not do any TLS inspection (except Ja3 hash). To do this TLS traffic needs to be decrypted first before sending it to Suricata. So I used PolarProxy for TLS decryption and then Suricata was able to perform detection on it.

twojake · June 17, 2022, 10:34am

Thanks for you reply, can you please describe more in detail how you do this?

Daryald · June 17, 2022, 11:33am

There are two ways of detecting SSL/TLS traffic using Suricata:

Ja3 Hash- Good article is here
Decrypting traffic using proxy- This is what I was talking about - using Polar Proxy. PolarProxy is capable to decrypt and re-encrypt TLS traffic in real time and also it has feature pcapoverip in which you can capture decrypted traffic in Wireshark or re-play it in your network using tcpreplay. This decrypted traffic can be sent to Suricata to apply detection. This article can help you.

Topic		Replies	Views
Ssl decryption monitoring Help	0	609	June 28, 2021
Suricata and reverse_https shell Help ips , rules	3	1009	December 10, 2021
Bypassing encrypted traffic does not seem to work Help	8	1523	December 10, 2021
How can I analyze SSL traffic? I have the private key Help	1	757	June 30, 2022
Check https connection Help	2	486	August 7, 2020

Encrypted traffic inspection

Related Topics