[Oisf-users] Analysis of SSL-decrpyted traffic

Cooper F. Nelson cnelson at ucsd.edu
Tue Feb 25 19:04:40 UTC 2020

Have you tried logging http to file, to ensure that suricata is decoding 

Have you tried enabling the http-events rules?


In my personal experience, I haven't seen any evidence of malicious 
behavior over tls from common sources (trusted domains/IPs) to our 
clients.  This is based on cross-referencing EDR alerts with suricata.  
We sinkhole bad IPs and domains automatically, which will stop the bulk 
of these attacks entirely from 'known bad' sources.  I have observed 
malicious activity inbound over tls to servers, however.

For malware that uses tls, like Dridex, the EmergingThreats team will 
release signatures for the certificates, so you may actually be losing 
visibility by decoding the traffic.  I'm not sure if they have sigs to 
detect the decoded CnC traffic for malware families that utilize tls.


On 2/25/2020 8:53 AM, Federico Foschini wrote:
> Hello,
> I’ve configured my firewall to mirror SSL-decrypted traffic to a 
> server in which I’m running suricata 5.0
> I cannot trigger any alert on this type of traffic, even if using zeek 
> or wireshark I can clearly see that the traffic is HTTP (but on port 443).
> In |suricata.yaml| I’ve added port 443 in HTTP_PORTS variable:
> |port-groups: HTTP_PORTS: "[80,81,311,383, 443, ...]" |

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200225/67fee165/attachment.html>

More information about the Oisf-users mailing list