[Oisf-users] Suricata >3.0 to sniff bumped ssl traffic from squid

Andreas Herz andi at geekosphere.org
Mon Sep 12 20:47:06 UTC 2016

On 10/09/16 at 00:30, Petr Skovoroda wrote:
> So, the problem is, that for some reason Suricata >=3.1 is unable to listen
> on loopback in afp mode. When I run it with -i lo option, it dies with this
> messages:
> <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Frame size bigger than
> block size
> <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET
> socket, fatal error
> Same configuration works fine with Suricata v3.0.0. I can actually sniff
> loopback and examine all the traffic on icap port.
> I checked blame on github, but couldn't find anything since 3.0 release.

I guess you will have to wait for Victor and Eric to return from the
Developer Training in Paris, they might have an idea.

> I want to ask, if it's actually possible?
> And if not, is there any other solution to scan decrypted traffic from squid
> with Suricata?

There are some people playing around with that but it's not that easy to
accomplish. But since it's more and more demand we might take a look
into that scenario.

Andreas Herz

More information about the Oisf-users mailing list