I am running an inline Suricata IDPS with AF-PACKET.
There are a lot of phishing or malicious Facebook pages and shortened URL links that I cannot simply to block the domain names due to those domain names are famous to public.
I tried SSLProxy but it requires Suricata’s IP address and port. However, my Suricata do not have those.
I also tried lua script and rules to block the links. However, it only works for non-encrypted traffics (http) only.
How can I block the those SSL/TLS phishing or malicious links?
I did get this somewhat working with sslproxy years ago. IIRC they bundle a simple tool to forward the traffic, and then I could hook up Suricata to use NFQ to pass/drop the traffic between sslproxy and that tool (I forgot its name). It worked with some issues, like the IP addresses being from the connection between sslproxy and the tool.
I did a WIP branch years ago to try and support it better, by parsing the embedded magic headers, but that is quite stale right now. I plan to revisit it some day. See
you first have to make it work w/o suricata. Then there will be a tcp connection between the sslproxy tool and it’s forwarded application. You can create nftables/iptables rules for that connection, and use nfq to allow suricata to accept/drop on it.