[Oisf-users] Suricata >3.0 to sniff bumped ssl traffic from squid
Petr Skovoroda
petrskovoroda at gmail.com
Fri Sep 9 21:30:28 UTC 2016
Hello,
We seek your assistance in our project.
We are building a router, which should provide a secure connection to
any user. And we want IDS/IPS to inspect all kind of communications in
our network: tor, i2p and direct.
But we also want to inspect all ssl traffic. To do so, we use squid
proxy with ssl-bump feature to perform mitm.
All decrypted traffic goes to icap server, where it's being scanned by
clam antivirus.
To accomplish our goal, we are going to make Suricata listen on two
interfaces:
- On LAN Suricata is going to detect potentially bad traffic
(incoming and outgoing), block attackers/compromised hosts, tor exit
nodes, etc.
- On localhost Suricata is supposed to scan icap port for bad
content: browser/activex exploits, malware, attacks, etc.
This will allow us to secure the entire network.
So, the problem is, that for some reason Suricata >=3.1 is unable to
listen on loopback in afp mode. When I run it with -i lo option, it dies
with this messages:
<Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than
block size
<Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET
socket, fatal error
Same configuration works fine with Suricata v3.0.0. I can actually sniff
loopback and examine all the traffic on icap port.
I checked blame on github, but couldn't find anything since 3.0 release.
I want to ask, if it's actually possible?
And if not, is there any other solution to scan decrypted traffic from
squid with Suricata?
--
Best regards,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Suricata Implementation.png
Type: image/png
Size: 37368 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160910/95599b9f/attachment-0001.png>
More information about the Oisf-users
mailing list