[Oisf-users] Suricata + SSLProxy
F.Tremblay
fcourrier at gmail.com
Wed Jul 18 02:25:53 UTC 2018
It's the elephant in the room... Been running suricata for years and
today I'm having a hard time finding HTTP, cleartext webpages to test
rules.
Everybody can encrypt with a 5$ cert from Godaddy or Lets's Encrypt.
If you you dont do MiTM, you see nothing.
And let's not talk about just how easy it is to evade detection in HTTP...
It's possible with sslproxy and suricata, you just need a python
script to strip the sslproxy header, send it to MiTMproxy, and voilĂ ;
all cleartext.
Making suricata undersdand sslproxy header is no biggie, you still
have to make sslproxy work, evade JA3 detection, push the certs,
etc...
Not like we were revealing the elephant...
F.
On 7/17/18, Marco Aurelio <marcoaurelio22 at gmail.com> wrote:
> Hello, it is possible to use the Suricata to correctly read the SSLProxy
> header,
> SSLProxy it delivers encrypted SSL traffic in plain text to SNORT, and
> would like to use Suricata.
>
> https://github.com/sonertari/SSLproxy
>
More information about the Oisf-users
mailing list