[Oisf-users] Recommend communication mechanism between Suricata engine and another process
tidy at holonetsecurity.com
tidy at holonetsecurity.com
Mon Apr 10 06:00:38 UTC 2017
Thanks Andreas, currently suricata can't be able to be a SSL forward proxy, what we need to do is trying to inspect both plain text traffic(already supported) and our decrypted SSL traffic from a MITM proxy deployed at the same host.
So what’s your advice how we deploy suricata process to achieve this goal.
-Tidy
> On Apr 2, 2017, at 3:48 AM, Andreas Herz <andi at geekosphere.org> wrote:
>
> Hi,
>
> On 25/03/17 at 23:07, tidy at holonetsecurity.com <mailto:tidy at holonetsecurity.com> wrote:
>> Hi Andreas,
>>
>> The SSL Proxy working as Transparent proxy(using iptables TPROXY) plus Bridge mode, the bridge interfaces say eth1 are using to receive and lo to forward the packets.
>> Another side, since the SSL Proxy works based on application layer data, the SSL proxy needs fake L2 + L3 packet heads if choosing Unix Sockets as communication channel. so I am not sure which one is more suitable to solve this.
>> Very appreciate your kind help!
>
> I'm not familiar with such a setup, so would need to create one.
> You could try to make a test setup within that you activate pcap log of
> suricata and could send us a test traffic so we might see anything
> special that suricata receives.
> You could also take a look into the NFQUEUE netfilter target, maybe you
> can reroute the traffic within iptables to suricata in a more sane way.
> But that's just a guess.
>
>> -Tidy
>>
>>> On Mar 25, 2017, at 7:56 AM, Andreas Herz <andi at geekosphere.org> wrote:
>>>
>>> On 24/03/17 at 10:01, tidy at holonetsecurity.com wrote:
>>>> I’m trying copy packets from an SSL decrypting process to Suricata on
>>>> the same machine, could you help to recommend mechanism to talk
>>>> between the SSL decrypting process and Suricata. 1) virtual network
>>>> card interface 2) Unix Sockets (Suricata only support pcap files using
>>>> command). 3)?
>>>
>>> Well what process are you using and how does it receive and forward the
>>> packets?
>>>
>>> --
>>> Andreas Herz
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org <http://suricata-ids.org/> | Support: http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170410/8dbc3ca0/attachment-0002.html>
More information about the Oisf-users
mailing list