[Oisf-users] Suricata SSL decryption
Soner Tari
sonertari at gmail.com
Sat Mar 21 07:58:43 UTC 2020
Hi Coop,
You say that SSLproxy is single-threaded:
http://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-November/016311.html
I am the developer of SSLproxy, and I assure you that it has an event-
driven multithreaded design:
"SSLproxy is able to handle a relatively high number of listeners and
connections due to a multithreaded, event based architecture based on
libevent"
See sslproxy(1) here:
https://github.com/sonertari/SSLproxy/blob/master/sslproxy.1
By default, SSLproxy starts twice as many number of connection handling
threads as the number of cores on the system it is running on.
HTH,
Soner
Cooper F. Nelson wrote:
> Most large deployments are going to have a switched hardware tap
> anyway
> (we do, to support other sensors and allow for redundancy), so buying
> one that can also decrypt TLS is a net positive I would think.
> Offloading the decryption to dedicated hardware may also be necessary
> for large (e.g. 100Gb) deployments; plus you get so save your CPU
> cycles
> for detection.
>
> Squid was initially developed here @UCSD and I'm intimately familiar
> with the project. I'm currently investigating whether the 'SSlBump
> Peek
> and Splice' feature can be leveraged to allow suricata to be
> integrated
> into a traditional forward proxy deployment:
>
> > https://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> From what I can tell so far it looks like it will require new code to
> actually send the decrypted traffic somewhere (like a loopback
> interface) vs. just inspecting/logging.
>
> I also have a 'pipe dream' of learning Rust and adding TLS decryption
> support to the current protocol handler; but the reality is that is
> probably outside of my capabilities. And it would only work in a
> 'reverse' proxy deployment where you control the servers and can
> install
> the associated private key(s) on your sensor. I'm not sure how it
> would
> work in a forward proxy mode and would probably require a separate
> software stack (like squid or nginx) to proxy the session and install
> your own private key. One idea I had was to create something like a
> TLS
> 'gateway' you installed on the perimeter that would knock down TLS
> 1.3
> and 1.2 DHE sessions to a minimal 1.2 session that could be easily
> decrypted off the wire once the traffic was inside your network.
>
> I'm personally of the opinion that if you are *really* serious about
> inspecting TLS traffic you should build a true 'zero trust' network
> first; then setup a DMZ and an explicit forward proxy (no NAT!) to
> access external sites. In that architecture you can easily drop
> something like SSLproxy in place to intercept and inspect encrypted
> traffic. AFAIK SSLproxy is single-threaded, so I'm note sure how
> well
> it would work if deployed on a large (10Gb+) network. For 1G
> deployments it works fine, though.
>
> -Coop
>
> On 11/4/2018 6:38 PM, F.Tremblay wrote:
> > Nothing personal Coop, just seems odd when plp talks about /vendors
> > /in an open source project.
> >
> > Like saying go to Bluecoat in a squid forum.
> >
> > Michal is right, the way to do it is to send Suricata decrypted
>
> traffic.
> >
> > Look at the work of Sonertari with SSLproxy, also MiTMproxy and
>
> python.
> >
> >
> > https://github.com/sonertari/SSLproxy
> >
> > And if you are anywhere between NYC and Toronto, Ill set you up
> > with
> > an open souce solution to inspect encrypted traffic.
> >
> > No black box.
> >
> > Cheers.
> >
> > F.
>
>
More information about the Oisf-users
mailing list