Real-time TLS Traffic Inspection

Hello Suricata community, I’m looking for guidance on configuring Suricata to inspect TLS traffic and detect threats in real-time without incurring storage overhead. Specifically, I’ve set up PolarProxy (version 1.0.0) and followed: Sniffing Decrypted TLS Traffic with Security Onion; but I need help in redirecting the traffic to Suricata while also monitoring other traffic on the network.
The command mentioned in the blog post is:
image

How can I utilize Suricata, such that it monitors the traffic coming from the netcat connection on port 57012, while also analyzing all the traffic on the network?

  • Suricata version: 7.0.6
  • OS: Windows 10 Pro
  • Installed from source

Suricata can capture traffic on multiple interfaces simultaneously. This way you can have one interface on which Suricata receives traffic from a network tap or SPAN/mirror port and another dummy interface (in your case called decrypted) where it gets replayed traffic from the TLS interception proxy.