[Oisf-users] Suricata + SSLProxy

Cooper F. Nelson cnelson at ucsd.edu
Thu Jul 19 17:34:05 UTC 2018


I'll be talking about this @SuriCon, without going into the full details
here I can say that is a complex topic at the very least.

I will mention that Gigamon is now offering switched taps that can
proxy/decrypt tls sessions, with other vendors following suit.  So there
are hardware solutions available that can solve this for existing IDS
deployments.

-Coop

On 7/17/2018 7:25 PM, F.Tremblay wrote:
> It's the elephant in the room... Been running suricata for years and
> today I'm having a hard time finding HTTP, cleartext webpages to test
> rules.
>
> Everybody can encrypt with a 5$ cert from Godaddy or Lets's Encrypt.
> If you you dont do MiTM, you see nothing.
>
> And let's not talk about just how easy it is to evade detection in HTTP...
>
> It's possible with sslproxy and suricata, you just need a python
> script to strip the sslproxy header, send it to MiTMproxy, and voilà;
> all cleartext.
>
> Making suricata undersdand sslproxy header is no biggie, you still
> have to make sslproxy work, evade JA3 detection, push the certs,
> etc...
>
> Not like we were revealing the elephant...
>
> F.

-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180719/e4264083/attachment.sig>


More information about the Oisf-users mailing list