I created a virtual instance i.e PolarProxy for the incoming traffic decrytion purpose. I am using this command “PolarProxy -p 443,80 --leafcert noclone --terminate --connect <suricata_ip>:<suricata_port> --cert /path/to/cert.pem --key /path/to/key.pem --pcapoverip <polarproxy_ip>:<polarproxy_port>” to send incoming traffic to polarproxy for decrytion and further send it to suricata by using the keyword pcapoverip.
My question is can we configure suricata in such a manner so that it send back the decryted traffic after inspection to PolarProxy for re-encryption before send it to the destination server. If yes, please tell me how.
Sir, I already set up suricata successfully in my firewall.
My question is it is possible to forward traffic from suricata to other virtual instance (after inspection) configured in my firewall?
Thanks in advance.
As I said the IPS modes mentioned are able to receive traffic and return them aftewards, either from interface to interface directly with AF_PACKET or within netfilter via NFQUEUE where you can use routing etc.
I setup suricata in NFQUEUE IPS mode. And i sucessfully configured polarproxy to send decrypted traffic to suricata for inspection. Now i have to forward that decrypted traffic again back to polarproxy for re-encryption for this i have to configure output module in suricata’s configuration file. I am not able to configure it in that manner. can you please help me with this???
Thanks in advance.
This is not related to the output of Suricata, since this is only for logging etc.
You need to properly configure the NFQUEUE setup to make sure that the packets are forwarded back again. You can test this independent from Suricata in Netfilter first, before you integrate it via NFQUEUE there.
There is a feature request for adding PCAP-over-IP support to Suricata, but I don’t think that feature has been implemented. Until this feature has been added you can use a netcat+tcpreplay workaround to ingest the PCAP-over-IP data from PolarProxy into Suricata. Run this command on the Suricata machine to read the PCAP-over-IP stream from the PolarProxy machine:
nc <polarproxy_ip> 57012 | tcpreplay -i eth0 -t -
The decrypted TLS traffic will then be replayed to Suricata’s eth1 interface, provided that PolarProxy was started with --pcapoverip <polarproxy_ip>:57012
Please note that --terminate --connect <suricata_ip>:<suricata_port> will cause PolarProxy to terminate the TLS connection and forward the client’s HTTP connection unencrypted to Suricata as if it was hosting the requested content. Removing these two arguments will enable PolarProxy to re-encrypt the TLS connection and forward it to the correct destination, while still making the decrypted traffic available for Suricata through the PCAP-over-IP service on port 57012.
A more detailed writeup on how to deploy PolarProxy with Security Onion (and Suricata) can be found here: