[Oisf-users] Installing suricata inline in a squid host
C. L. Martinez
carlopmart at gmail.com
Thu Feb 11 10:28:23 UTC 2016
On Wed 10.Feb'16 at 8:52:36 -0800, Cooper F. Nelson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2/10/2016 12:23 AM, C. L. Martinez wrote:
> > Hi all,
> >
> > I have installed a squid host as a mitm proxy for http and https
> > requests. My idea is to install suricata online inside this host but I
> > have two doubts:
> >
> > a/ if I am not wrong I can only use iptables rules instead of afpacket
> > to monitor all requests. Is it correct?
>
> I've heard you can do it with afpacket, but I've only done it with
> iptables. Here are the details:
Ok. To use iptables, are these ok?
iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j NFQUEUE
--queue-num 1
iptables -t mangle -I OUTPUT -i eth0 -p tcp --dport 80 -j NFQUEUE
--queue-num 1
>
> > https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
>
> > b/ Due to I am using sslbump to decrypt ssl requests, how can I
> > configure suricata and iptables to "see" the payload ofthese decrypted
> > connections?.
>
> This isn't possible currently. The SSL interception takes place in user
> space, not kernel space, where suricata inspects traffic.
Uhmm .. Understood. But exists other solution to make it work at kernel space?? For example, snort commercial version can do that: acts like sslstrip, intercepts traffic, inspect and returns to encrypt ...
Many thanks for your help.
--
Greetings,
C. L. Martinez
More information about the Oisf-users
mailing list