[Oisf-users] Encrypted Traffic

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've done deployments like this in the past with Snort, the way you do
it is to use an SSL concentrator to encrypt traffic on the edge of your
network and run the IDS behind it.  As far as I know there are no plans
to allow suricata to natively decrypt traffic.

It's important to note that cipher suites that properly implement DHE
cannot be monitored at all, even if you have the server keys.  The way
commercial products monitor them is to proxy the SSL session and knock
it down to a weaker encryption suite that doesn't provide perfect
forward secrecy on the inside of the network.

If you really wanted to I suppose you could use tshark to decrypt the
traffic and then pipe it into suricata.  This would have pretty bad
performance and would only work for small deployments, however.

Now that I think about it, it might be possible to configure tshark to
spool decrypted IPSEC traffic to a file and then have suricata process
it asynchronously, but I'm not sure if that would work.

- -Coop

On 1/28/2015 10:36 AM, Leonard Jacobs wrote:
> How is all this affected if one uses af-packet method of IPS?  Won't
> the traffic still look to Suricata as encrypted and won't be able to
> interrogate the traffic?
> 
> Is there anything today or in the future where Suricata will be able
> see the traffic unencrypted natively?
> 
> Thanks.
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUyTjGAAoJEKIFRYQsa8FWrt4H/R97ffA8EzYkMCR9vowh4/E7
GI/wsoShh+GU6itLvtengyyd8F0B/si3Z+hAEhvANKiCttmyzzmWlDSbwBrNh+Iz
7pm5++7lXaoGDKp0VPWuqaHfMJLMTJD+fzNKwxEqst+qmArgyJMAc8JCWbpL1r7j
RPRB27Vsc0ccB5r9KTOVNfxM9QHXknWGLPU2PP6Asq6IKtovQ1boaG9aqz8y1hhT
uZYNTAlbqKWs+YE5iVizqS+g8X5xFaNhNuufMVpaEOyvyLVVhgRYvZnaCo1v+Qrd
TtAoePrsXn592sBPPNx19m2TKPTfmLX91gkYPD/dwxIQhOhmfinvw4Dyhs1PTsE=
=N4Nn
-----END PGP SIGNATURE-----