[Oisf-users] Suricata + SSLProxy

Cooper F. Nelson cnelson at ucsd.edu
Thu Jul 19 17:34:05 UTC 2018

I'll be talking about this @SuriCon, without going into the full details
here I can say that is a complex topic at the very least.

I will mention that Gigamon is now offering switched taps that can
proxy/decrypt tls sessions, with other vendors following suit.  So there
are hardware solutions available that can solve this for existing IDS


On 7/17/2018 7:25 PM, F.Tremblay wrote:
> It's the elephant in the room... Been running suricata for years and
> today I'm having a hard time finding HTTP, cleartext webpages to test
> rules.
> Everybody can encrypt with a 5$ cert from Godaddy or Lets's Encrypt.
> If you you dont do MiTM, you see nothing.
> And let's not talk about just how easy it is to evade detection in HTTP...
> It's possible with sslproxy and suricata, you just need a python
> script to strip the sslproxy header, send it to MiTMproxy, and voilà;
> all cleartext.
> Making suricata undersdand sslproxy header is no biggie, you still
> have to make sslproxy work, evade JA3 detection, push the certs,
> etc...
> Not like we were revealing the elephant...
> F.

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180719/e4264083/attachment.sig>

More information about the Oisf-users mailing list