[Oisf-users] Suricata >3.0 to sniff bumped ssl traffic from squid

Petr Skovoroda petrskovoroda at gmail.com
Fri Sep 9 21:30:28 UTC 2016


We seek your assistance in our project.

We are building a router, which should provide a secure connection to 
any user. And we want IDS/IPS to inspect all kind of communications in 
our network: tor, i2p and direct.
But we also want to inspect all ssl traffic. To do so, we use squid 
proxy with ssl-bump feature to perform mitm.
All decrypted traffic goes to icap server, where it's being scanned by 
clam antivirus.

To accomplish our goal, we are going to make Suricata listen on two 
  -  On LAN Suricata is going to detect potentially bad traffic 
(incoming and outgoing), block attackers/compromised hosts, tor exit 
nodes, etc.
  -  On localhost Suricata is supposed to scan icap port for bad 
content: browser/activex exploits, malware, attacks, etc.

This will allow us to secure the entire network.

So, the problem is, that for some reason Suricata >=3.1 is unable to 
listen on loopback in afp mode. When I run it with -i lo option, it dies 
with this messages:
<Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than 
block size
<Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET 
socket, fatal error

Same configuration works fine with Suricata v3.0.0. I can actually sniff 
loopback and examine all the traffic on icap port.
I checked blame on github, but couldn't find anything since 3.0 release.

I want to ask, if it's actually possible?
And if not, is there any other solution to scan decrypted traffic from 
squid with Suricata?

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Suricata Implementation.png
Type: image/png
Size: 37368 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160910/95599b9f/attachment-0001.png>

More information about the Oisf-users mailing list