Does anyone know how to get the suricata engine to break TLS and scan the encrypted payload?
I am used to this being on an all-in-one device firewall.
Suricata can’t break TLS, neither other software, what is normally done is to install a decryption proxy/device in managed environment where you can push your local root certificate to endpoints.
This root certificate is installed on all endpoints and trusted, the decryption device intercepts all TLS communications and generates certificates that are presented to the client’s software, those certificates are signed with local root certificate.
Some of those decryption devices has the capability to forward the decrypted packets to other software like Suricata.
Hope this helps
Thanks for the response. I understand that Suricata wont be able to see encrypted traffic. What im asking is if i have Suricata installed on a seperate server than my firewall, and my firewall can do the decryption, how does one send that decrypted stream to Suricata. Thats the missng piece im not getting how to do.
Right now Suricata can see traffic thats copied to it via a SPAN port but that also includes TLS streams. I need the IPS to inspect that stream as well…Otherwise the ET Rules that i use are useless.
One solution that I have not tested myself is PolarProxy TLS proxy
Thanks ive been looking into this all day.
So im a bit confused overall regarding Suricata or really any IPS. I see signatures that look at the tcp header or at the payload. From my viewpoint there doesnt seem to be a way to send unencrypted traffic to the suricata engine even if its sitting inline. So im left with the assumption that signatures that are created are never triggered or threat actors are still using port 80(which is possible).
I will continue to do research on my end but if the ips is not integrated with a decryption engine then whats the point.
Even if the connection is encrypted, Suricata can do useful things with it, including matching against IOCs (eg: tls sni), matching against ja3(s) hashes, detecting frequency of communication…etc, moreover NSM feature records every transaction so that you can do network forensics while doing incident response or behavioral detection.
Depending on your architecture and what you are trying to protect, there is actually ways to deal with encrypted traffic, for example if you are protecting web applications, the placing Suricata after the tls termination device will mean it will se unencrypted traffic.
And yes, APTs still use unencrypted channels.
You are correct on this piece. I do have it running on selected parts of the network where i know for sure there is no TLS.
I was running this on the edge…which i think its the issue.
You can also feed Suricata via a standalone decryption solution like Mira ETO, but it is a enterprise solution and offers VMs or hardware