[Oisf-users] Installing suricata inline in a squid host

C. L. Martinez carlopmart at gmail.com
Thu Feb 11 10:28:23 UTC 2016

On Wed 10.Feb'16 at  8:52:36 -0800, Cooper F. Nelson wrote:
> Hash: SHA1
> On 2/10/2016 12:23 AM, C. L. Martinez wrote:
> > Hi all,
> > 
> > I have installed a squid host as a mitm proxy for http and https
> > requests. My idea is to install suricata online inside this host but I
> > have two doubts:
> > 
> > a/ if I am not wrong I can only use iptables rules instead of afpacket
> > to monitor all requests. Is it correct?
> I've heard you can do it with afpacket, but I've only done it with
> iptables.  Here are the details:

Ok. To use iptables, are these ok?

iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j NFQUEUE 
--queue-num 1

iptables -t mangle -I OUTPUT -i eth0 -p tcp --dport 80 -j NFQUEUE 
--queue-num 1

> > https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
> > b/ Due to I am using sslbump to decrypt ssl requests, how can I
> > configure suricata and iptables to "see" the payload ofthese decrypted
> > connections?.
> This isn't possible currently.  The SSL interception takes place in user
> space, not kernel space, where suricata inspects traffic.

Uhmm .. Understood. But exists other solution to make it work at kernel space?? For example, snort commercial version can do that: acts like sslstrip, intercepts traffic, inspect and returns to encrypt ...

Many thanks for your help.

C. L. Martinez

More information about the Oisf-users mailing list