How can I use Suricata to detect and generate alerts for HTTPS traffic without decrypting it?
1. Do not use certificates.
Hi!
maybe detect size packets during session?
I think, that you can’t decrypt https without certificates to detect headers in packets
You can try use PolarProxy and suricata Sniffing Decrypted TLS Traffic with Security Onion
Use (supported) metadata (packet size, frequency, related domains/ips, traffic “patterns” …), think out of the box, don’t focus too much in the encrypted content.