[Oisf-users] Installing suricata inline in a squid host
Cooper F. Nelson
cnelson at ucsd.edu
Wed Feb 10 16:52:36 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2/10/2016 12:23 AM, C. L. Martinez wrote:
> Hi all,
>
> I have installed a squid host as a mitm proxy for http and https
> requests. My idea is to install suricata online inside this host but I
> have two doubts:
>
> a/ if I am not wrong I can only use iptables rules instead of afpacket
> to monitor all requests. Is it correct?
I've heard you can do it with afpacket, but I've only done it with
iptables. Here are the details:
> https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
> b/ Due to I am using sslbump to decrypt ssl requests, how can I
> configure suricata and iptables to "see" the payload ofthese decrypted
> connections?.
This isn't possible currently. The SSL interception takes place in user
space, not kernel space, where suricata inspects traffic.
> Thanks in advance.
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWu2rTAAoJEKIFRYQsa8FWyOwH/AvHuWtha7OBjJSJQRKnnwfH
xoLX9Fl52Yn9L87GeuFfSgfeAI0ZjJ+5G/65TWL33Okv1Y2lwJbCJU0Ez90nrR2U
Aad/dMJd7sE8Es2OZcMGOTTjX7SeZYgIJmLOEcPmjgx0nYPOG1/qx8fQ6fsnBCH8
ZM816ghw2+qVBWLXiRLX34u5Qhm+NbAg5PaMlWDLNQYZZ1Fdmim17mPhV3tvd0cf
TJXbZzjHoEoBNhhgfRdQrB/DabJRxRGcSTxuygjPvCKOLfhJVBBttD1eNmskRNvL
rYn0MJyMFzFg9WYQ8J4TpLidFO8m8jzBG/gUmbEHuhyWgWGVaqMyBnOiH0oE25w=
=H4m9
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list