[Oisf-users] Suricata + SSLProxy

Cloherty, Sean E scloherty at mitre.org
Fri Jul 20 14:13:18 UTC 2018

There is more than one elephant in the room.  Even if you resolve the SSL issue, there is still HTTP/2 traffic whose content is compressed and chunked and becoming more prevalent. We opened a feature request some time ago for an HTTP/2 decoder https://redmine.openinfosecfoundation.org/issues/1947

To illustrate - open a few of your favorite websites Chrome. Then in a separate tab open - chrome://net-internals/#http2  . Watch that tab while you go back to browsing in the other tabs.  It shows how many sites are using HTTP/2 as you browse. 

Since our request, another colleague of mine created an HTTP/2 decoder plugin for Bro.  It is open source and available at https://github.com/MITRECND/bro-http2  

I hope that this might generate some interest in adapting this code for use in Suricata. 

-----Original Message-----
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of F.Tremblay
Sent: Tuesday, July 17, 2018 22:26 PM
To: Marco Aurelio <marcoaurelio22 at gmail.com>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata + SSLProxy

It's the elephant in the room... Been running suricata for years and today I'm having a hard time finding HTTP, cleartext webpages to test rules.

Everybody can encrypt with a 5$ cert from Godaddy or Lets's Encrypt.
If you you dont do MiTM, you see nothing.

And let's not talk about just how easy it is to evade detection in HTTP...

It's possible with sslproxy and suricata, you just need a python script to strip the sslproxy header, send it to MiTMproxy, and voilĂ ; all cleartext.

Making suricata undersdand sslproxy header is no biggie, you still have to make sslproxy work, evade JA3 detection, push the certs, etc...

Not like we were revealing the elephant...


On 7/17/18, Marco Aurelio <marcoaurelio22 at gmail.com> wrote:
>  Hello, it is possible to use the Suricata to correctly read the 
> SSLProxy header, SSLProxy it delivers encrypted SSL traffic in plain 
> text to SNORT, and would like to use Suricata.
> https://github.com/sonertari/SSLproxy
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list