[Oisf-users] Analysis of SSL-decrpyted traffic
Cooper F. Nelson
cnelson at ucsd.edu
Tue Feb 25 19:04:40 UTC 2020
Have you tried logging http to file, to ensure that suricata is decoding
it?
Have you tried enabling the http-events rules?
https://github.com/OISF/suricata/blob/master/rules/http-events.rules
In my personal experience, I haven't seen any evidence of malicious
behavior over tls from common sources (trusted domains/IPs) to our
clients. This is based on cross-referencing EDR alerts with suricata.
We sinkhole bad IPs and domains automatically, which will stop the bulk
of these attacks entirely from 'known bad' sources. I have observed
malicious activity inbound over tls to servers, however.
For malware that uses tls, like Dridex, the EmergingThreats team will
release signatures for the certificates, so you may actually be losing
visibility by decoding the traffic. I'm not sure if they have sigs to
detect the decoded CnC traffic for malware families that utilize tls.
-Coop
On 2/25/2020 8:53 AM, Federico Foschini wrote:
>
> Hello,
> I’ve configured my firewall to mirror SSL-decrypted traffic to a
> server in which I’m running suricata 5.0
>
> I cannot trigger any alert on this type of traffic, even if using zeek
> or wireshark I can clearly see that the traffic is HTTP (but on port 443).
>
> In |suricata.yaml| I’ve added port 443 in HTTP_PORTS variable:
>
> |port-groups: HTTP_PORTS: "[80,81,311,383, 443, ...]" |
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200225/67fee165/attachment.html>
More information about the Oisf-users
mailing list