[Oisf-users] Capturing encrypted traffic

Jake Gionet gionet.jake at gmail.com
Wed Feb 20 12:32:52 UTC 2013


I believe there are two options for doing this.  First is setting your
stream variables is a way that causes Suricata to continue to inspect
encrypted traffic (I forget if/how this is possible at the moment).  The
second is setting "use-stream-depth: no" in the pcap-log section.  If you
want an example take a look at
http://rules.emergingthreats.net/open/suricata-1.3/suricata-1.3-open.yaml

For what its worth, I found the packet capture output from Suricata to be
very inefficient.  Running tcpdump at the same time produced much better
results for me.  There are some programs that capture more efficiently than
tcpdump which you may want to explore as well.


Jake Gionet




On Tue, Feb 19, 2013 at 5:55 PM, Mike Ware <mware at zettaset.com> wrote:

> Is there a way to set the pcap logging to capture encrypted traffic?
> Thanks
> Mike
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130220/1d368042/attachment-0002.html>


More information about the Oisf-users mailing list