[Oisf-users] Encrypted Traffic

Cooper F. Nelson cnelson at ucsd.edu
Wed Jan 28 19:30:14 UTC 2015

Hash: SHA1

I've done deployments like this in the past with Snort, the way you do
it is to use an SSL concentrator to encrypt traffic on the edge of your
network and run the IDS behind it.  As far as I know there are no plans
to allow suricata to natively decrypt traffic.

It's important to note that cipher suites that properly implement DHE
cannot be monitored at all, even if you have the server keys.  The way
commercial products monitor them is to proxy the SSL session and knock
it down to a weaker encryption suite that doesn't provide perfect
forward secrecy on the inside of the network.

If you really wanted to I suppose you could use tshark to decrypt the
traffic and then pipe it into suricata.  This would have pretty bad
performance and would only work for small deployments, however.

Now that I think about it, it might be possible to configure tshark to
spool decrypted IPSEC traffic to a file and then have suricata process
it asynchronously, but I'm not sure if that would work.

- -Coop

On 1/28/2015 10:36 AM, Leonard Jacobs wrote:
> How is all this affected if one uses af-packet method of IPS?  Won't
> the traffic still look to Suricata as encrypted and won't be able to
> interrogate the traffic?
> Is there anything today or in the future where Suricata will be able
> see the traffic unencrypted natively?
> Thanks.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list