[Oisf-users] Encrypted Traffic

Leonard Jacobs ljacobs at netsecuris.com
Wed Jan 28 18:36:20 UTC 2015

How is all this affected if one uses af-packet method of IPS?  Won't the traffic still look to Suricata as encrypted and won't be able to interrogate the traffic?

Is there anything today or in the future where Suricata will be able see the traffic unencrypted natively?


-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Wednesday, January 28, 2015 5:04 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Encrypted Traffic

On 01/28/2015 11:48 AM, Phil Daws wrote:
> within my lab I have two VMs that are acting as firewalls and connected via an IPSEC tunnel with GRE.  A VM on one end sends traffic over this tunnel to another on the other side.  This traffic should not be subjected to Suricata inspection, as am using inline, so what would be the best way to suppress that ?

In general, check
 Note that BPF won't work in inline mode.

I'd imagine a rule like "pass ip any any -> any any (ip_proto:47; ...)

If you run the iptables/nfq based inline method you can also use iptables to control which part of the traffic is inspected by Suri.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/

More information about the Oisf-users mailing list