[Oisf-users] Recommend communication mechanism between Suricata engine and another process

tidy at holonetsecurity.com tidy at holonetsecurity.com
Mon Apr 10 06:00:38 UTC 2017


Thanks Andreas,  currently suricata can't be able to be a SSL forward proxy,  what we need to do is trying to inspect both plain text traffic(already supported) and our decrypted SSL traffic from a MITM proxy deployed at the same host.
So what’s your advice how we deploy suricata process to achieve this goal.

-Tidy


> On Apr 2, 2017, at 3:48 AM, Andreas Herz <andi at geekosphere.org> wrote:
> 
> Hi,
> 
> On 25/03/17 at 23:07, tidy at holonetsecurity.com <mailto:tidy at holonetsecurity.com> wrote:
>> Hi  Andreas,
>> 
>> 	The SSL Proxy working as Transparent proxy(using iptables TPROXY) plus Bridge mode, the bridge interfaces say eth1 are using to receive  and lo to forward the packets.
>>       Another side,  since the SSL Proxy works based on application layer data, the SSL proxy needs fake L2 + L3 packet heads if choosing Unix Sockets as communication channel. so I am not sure which one is more suitable to solve this.
>> 	Very appreciate your kind help!
> 
> I'm not familiar with such a setup, so would need to create one.
> You could try to make a test setup within that you activate pcap log of
> suricata and could send us a test traffic so we might see anything
> special that suricata receives.
> You could also take a look into the NFQUEUE netfilter target, maybe you
> can reroute the traffic within iptables to suricata in a more sane way.
> But that's just a guess.
> 
>> -Tidy
>> 
>>> On Mar 25, 2017, at 7:56 AM, Andreas Herz <andi at geekosphere.org> wrote:
>>> 
>>> On 24/03/17 at 10:01, tidy at holonetsecurity.com wrote:
>>>> I’m trying copy packets from an SSL decrypting process to Suricata on
>>>> the same machine, could you help to recommend mechanism to talk
>>>> between the SSL decrypting process and Suricata. 1) virtual network
>>>> card interface 2) Unix Sockets (Suricata only support pcap files using
>>>> command). 3)?
>>> 
>>> Well what process are you using and how does it receive and forward the
>>> packets?
>>> 
>>> -- 
>>> Andreas Herz
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
> 
> -- 
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org <http://suricata-ids.org/> | Support: http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170410/8dbc3ca0/attachment-0002.html>


More information about the Oisf-users mailing list