<div dir="ltr"><div class="markdown-here-wrapper" style=""><p style="margin:0px 0px 1.2em!important">Hello Nelson thank you for your insights.</p>
<p style="margin:0px 0px 1.2em!important">The inbound case obviously is the more interesting one since you can inspect all inbound attacks hitting your servers.<br>Unfortunately it seems the way to go for all firewall vendors is to sell the client SSL inspection as the holy grail to solve all security problems. I agree with you that is not so useful but some of our clients have it enabled so analyzing the traffic on suricata would be useful to me.</p>
<p style="margin:0px 0px 1.2em!important">Also I read that ET is planning to release some signature specifically for TLS-inspected traffic.</p>
<p style="margin:0px 0px 1.2em!important">However I did some testing and it looks like that if I’m only sniffing from the firewall interface everything is working fine. The issue starts when I’m sniffing both from the mirror port on the switch and on the firewall with this configuration:</p>
<pre style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;font-size:1em;line-height:1.2em;margin:1.2em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline;white-space:pre;overflow:auto;border-radius:3px;border:1px solid rgb(204,204,204);padding:0.5em 0.7em;display:block!important">af-packet:
  - interface: enp4s0
    threads: 2
    cluster-id: 1
    cluster-type: cluster_flow
    defrag: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    use-mmap: yes 
    tpacket-v3: yes 
  - interface: enp3s0
    threads: 2
    cluster-id: 2
    cluster-type: cluster_flow
    defrag: yes # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
    use-mmap: yes
    tpacket-v3: yes
</code></pre><p style="margin:0px 0px 1.2em!important"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">enp4s0</code> is the firewall mirror port and <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">enp3s0</code> is the switch.</p>
<p style="margin:0px 0px 1.2em!important">All traffic mirrored from the switch is processed while the one from the firewall is not. When doing an SSL connection in Zeek I can see the SSL encrypted flow mirrored from the switch and also the HTTP decrypted traffic from the firewall. In suricata I see only the SSL encrypted traffic.</p>
<div title="MDH:SGVsbG8gTmVsc29uIHRoYW5rIHlvdSBmb3IgeW91ciBpbnNpZ2h0cy48ZGl2Pjxicj48L2Rpdj48
ZGl2PlRoZSBpbmJvdW5kIGNhc2Ugb2J2aW91c2x5IGlzIHRoZSBtb3JlIGludGVyZXN0aW5nIG9u
ZSBzaW5jZSB5b3UgY2FuIGluc3BlY3QgYWxsIGluYm91bmQgYXR0YWNrcyBoaXR0aW5nIHlvdXIg
c2VydmVycy48L2Rpdj48ZGl2PlVuZm9ydHVuYXRlbHkgaXQgc2VlbXMgdGhlIHdheSB0byBnbyBm
b3IgYWxsIGZpcmV3YWxsIHZlbmRvcnMgaXMgdG8gc2VsbCB0aGUgY2xpZW50IFNTTCBpbnNwZWN0
aW9uIGFzIHRoZSBob2x5IGdyYWlsIHRvIHNvbHZlIGFsbCBzZWN1cml0eSBwcm9ibGVtcywgSSBh
Z3JlZSB3aXRoIHlvdSB0aGF0IGlzIG5vdCBzbyA8c3BhbiB6ZXVtNGMwPSIxNTgyNzEyMzA4OTk4
IiBkYXRhLWRkbndhYj0iMTU4MjcxMjMwODk5OCIgY2xhc3M9Im5nIiBkYXRhLXdwa2d2PSJ0cnVl
Ij51c2VmdWw8L3NwYW4+Jm5ic3A7YnV0IHNvbWUgb2Ygb3VyIGNsaWVudHMgaGF2ZSBpdCBlbmFi
bGVkIHNvIGFuYWx5emluZyB0aGUgdHJhZmZpYyBvbiBzdXJpY2F0YSB3b3VsZCBiZSB1c2VmdWwg
Zm9yIG1lLjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+QWxzbyBJIHJlYWQgdGhhdCBFVCBpcyBw
bGFubmluZyB0byByZWxlYXNlIHNvbWUgc2lnbmF0dXJlIHNwZWNpZmljYWxseSBmb3IgVExTLWlu
c3BlY3RlZCB0cmFmZmljLjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+SG93ZXZlciBJIGRpZCBz
b21lIHRlc3RpbmcgYW5kIGl0IGxvb2tzIGxpa2UgdGhhdCBpZiBJJ20gb25seSBzbmlmZmluZyBm
cm9tIHRoZSBmaXJld2FsbCBpbnRlcmZhY2UgZXZlcnl0aGluZyBpcyB3b3JraW5nIGZpbmUuIFRo
ZSBpc3N1ZSBzdGFydHMgd2hlbiBJJ20gc25pZmZpbmcgYm90aCBmcm9tIHRoZSBtaXJyb3IgcG9y
dCBvbiB0aGUgc3dpdGNoIGFuZCBvbiB0aGUgZmlyZXdhbGwgd2l0aCB0aGlzIGNvbmZpZ3VyYXRp
b246PC9kaXY+PGRpdj5gYGA8L2Rpdj48ZGl2PmFmLXBhY2tldDo8YnI+Jm5ic3A7IC0gaW50ZXJm
YWNlOiBlbnA0czA8YnI+Jm5ic3A7ICZuYnNwOyB0aHJlYWRzOiAyPGJyPiZuYnNwOyAmbmJzcDsg
Y2x1c3Rlci1pZDogMTxicj4mbmJzcDsgJm5ic3A7IGNsdXN0ZXItdHlwZTogY2x1c3Rlcl9mbG93
PGJyPiZuYnNwOyAmbmJzcDsgZGVmcmFnOiB5ZXMgIyBUbyB1c2UgdGhlIHJpbmcgZmVhdHVyZSBv
ZiBBRl9QQUNLRVQsIHNldCAndXNlLW1tYXAnIHRvIHllczxicj4mbmJzcDsgJm5ic3A7IHVzZS1t
bWFwOiB5ZXMgPGJyPiZuYnNwOyAmbmJzcDsgdHBhY2tldC12MzogeWVzIDxicj4mbmJzcDsgLSBp
bnRlcmZhY2U6IGVucDNzMDxicj4mbmJzcDsgJm5ic3A7IHRocmVhZHM6IDI8YnI+Jm5ic3A7ICZu
YnNwOyBjbHVzdGVyLWlkOiAyPGJyPiZuYnNwOyAmbmJzcDsgY2x1c3Rlci10eXBlOiBjbHVzdGVy
X2Zsb3c8YnI+Jm5ic3A7ICZuYnNwOyBkZWZyYWc6IHllcyAjIFRvIHVzZSB0aGUgcmluZyBmZWF0
dXJlIG9mIEFGX1BBQ0tFVCwgc2V0ICd1c2UtbW1hcCcgdG8geWVzPGJyPiZuYnNwOyAmbmJzcDsg
dXNlLW1tYXA6IHllczxicj4mbmJzcDsgJm5ic3A7IHRwYWNrZXQtdjM6IHllczxicj48L2Rpdj48
ZGl2PmBgYDwvZGl2PjxkaXY+YGVucDRzMGAgaXMgdGhlIGZpcmV3YWxsIG1pcnJvciBwb3J0IGFu
ZCBgZW5wM3MwYCBpcyB0aGUgc3dpdGNoLjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+QWxsIHRy
YWZmaWMgbWlycm9yZWQgZnJvbSB0aGUgc3dpdGNoIGlzIHByb2Nlc3NlZCB3aGlsZSB0aGUgb25l
IGZyb20gdGhlIGZpcmV3YWxsIGlzIG5vdC4gV2hlbiBkb2luZyBhbiBTU0wgY29ubmVjdGlvbiBp
biBaZWVrIEkgY2FuIHNlZSB0aGUgU1NMIGVuY3J5cHRlZCBmbG93IG1pcnJvcmVkIGZyb20gdGhl
IHN3aXRjaCBhbmQgYWxzbyB0aGUgSFRUUCBkZWNyeXB0ZWQgdHJhZmZpYyBmcm9tIHRoZSBmaXJl
d2FsbC4gSW4gc3VyaWNhdGEgSSBzZWUgb25seSB0aGUgU1NMIGVuY3J5cHRlZCB0cmFmZmljLjwv
ZGl2Pg==" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0"></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno mar 25 feb 2020 alle ore 20:04 Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF">
    <p>Have you tried logging http to file, to ensure that suricata is
      decoding it?  <br>
    </p>
    <p>Have you tried enabling the http-events rules?</p>
    <p><a href="https://github.com/OISF/suricata/blob/master/rules/http-events.rules" target="_blank">https://github.com/OISF/suricata/blob/master/rules/http-events.rules</a></p>
    <p>In my personal experience, I haven't seen any evidence of
      malicious behavior over tls from common sources (trusted
      domains/IPs) to our clients.  This is based on cross-referencing
      EDR alerts with suricata.  We sinkhole bad IPs and domains
      automatically, which will stop the bulk of these attacks entirely
      from 'known bad' sources.  I have observed malicious activity
      inbound over tls to servers, however.  <br>
    </p>
    <p>For malware that uses tls, like Dridex, the EmergingThreats team
      will release signatures for the certificates, so you may actually
      be losing visibility by decoding the traffic.  I'm not sure if
      they have sigs to detect the decoded CnC traffic for malware
      families that utilize tls.  <br>
    </p>
    <p>-Coop<br>
    </p>
    <div>On 2/25/2020 8:53 AM, Federico Foschini
      wrote:<br>
    </div>
    <blockquote type="cite">
      <p style="margin:0px 0px 1.2em">Hello,<br>
        I’ve configured my firewall to mirror SSL-decrypted traffic to a
        server in which I’m running suricata 5.0</p>
      <p style="margin:0px 0px 1.2em">I cannot trigger any
        alert on this type of traffic, even if using zeek or wireshark I
        can clearly see that the traffic is HTTP (but on port 443).</p>
      <p style="margin:0px 0px 1.2em">In <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">suricata.yaml</code>
        I’ve added port 443 in HTTP_PORTS variable:</p>
      <pre style="font-family:Consolas,Inconsolata,Courier,monospace;font-size:1em;line-height:1.2em;margin:1.2em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;background-color:rgb(248,248,248);white-space:pre-wrap;overflow:auto;border-radius:3px;border:1px solid rgb(204,204,204);padding:0.5em 0.7em;display:block">port-groups:
    HTTP_PORTS: "[80,81,311,383, 443, ...]"
</code></pre>
    </blockquote>
    <pre cols="72">-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042</pre>
  </div>

</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Federico Foschini.</div>