Real-time TLS Traffic Inspection

NewtoSuri · July 11, 2024, 9:47am

Hello Suricata community, I’m looking for guidance on configuring Suricata to inspect TLS traffic and detect threats in real-time without incurring storage overhead. Specifically, I’ve set up PolarProxy (version 1.0.0) and followed: Sniffing Decrypted TLS Traffic with Security Onion; but I need help in redirecting the traffic to Suricata while also monitoring other traffic on the network.
The command mentioned in the blog post is:

How can I utilize Suricata, such that it monitors the traffic coming from the netcat connection on port 57012, while also analyzing all the traffic on the network?

Suricata version: 7.0.6

OS: Windows 10 Pro

Installed from source

erik · July 14, 2024, 9:27am

Suricata can capture traffic on multiple interfaces simultaneously. This way you can have one interface on which Suricata receives traffic from a network tap or SPAN/mirror port and another dummy interface (in your case called decrypted) where it gets replayed traffic from the TLS interception proxy.

hyj · October 24, 2024, 7:59am

Have you solved it yet？

Topic		Replies	Views
Encrypted traffic inspection Help suricata	4	8085	June 17, 2022
Suricata with SSL Decryption Help ips	7	2631	March 20, 2023
Analyze HTTPS traffic with proxy Help suricata	5	1446	October 24, 2024
Forward Inspected Traffic From Suricata To Other Virtual Instance (PolarProxy) Developers community , suricata	8	1130	October 24, 2024
Bypassing encrypted traffic does not seem to work Help	8	1789	December 10, 2021

Real-time TLS Traffic Inspection

Related topics