Project

General

Profile

Actions
Copy link

Feature #2513

open
MS CT

Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption tools

sslproxy: handle HTTP header

Feature #2513: sslproxy: handle HTTP header

Added by Marco Silva almost 8 years ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
medium
Difficulty:
medium
Label:

Description

Hello. is it possible to implement in the suricata for it to read the SSLProxy header to get the source and destination correctly?

UTMFW supports the deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL / TLS encrypted traffic is decrypted by SSLproxy and fed into the UTM services: Web Filter, HTTP Proxy, POP3 Proxy, SMTP Proxy, Virus Scanner, Spam Filter, and Inline IPS.

https://github.com/sonertari/SSLproxy

https://github.com/sonertari/UTMFW

Files

Download all files
log.pcap (11.1 KB) log.pcap pcap SSLproxy header Marco Silva, 03/07/2019 09:05 PM
log3.pcap (24.7 KB) log3.pcap pcap SSLproxy header Marco Silva, 03/07/2019 09:05 PM
log4.pcap (14.9 KB) log4.pcap pcap SSLproxy header Marco Silva, 03/07/2019 09:05 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #4965: protocol: SOCKS supportIn ProgressVictor JulienActions

JI Updated by Jason Ish almost 8 years ago Actions
Copy link
 #1

  • Assignee changed from Jason Ish to OISF Dev
  • Effort set to medium
  • Difficulty set to medium

AH Updated by Andreas Herz almost 8 years ago Actions
Copy link
 #2

  • Project changed from Suricata-Update to Suricata
  • Target version set to TBD

VJ Updated by Victor Julien almost 8 years ago Actions
Copy link
 #3

  • Assignee changed from OISF Dev to Anonymous

VJ Updated by Victor Julien about 7 years ago Actions
Copy link
 #4

  • Status changed from New to Feedback

What is the header name and format? Can you add some examples?

AH Updated by Andreas Herz about 7 years ago Actions
Copy link
 #5

  • Assignee set to Community Ticket

MS Updated by Marco Silva about 7 years ago Actions
Copy link
 #6

Victor Julien wrote:

What is the header name and format? Can you add some examples?

A sample line SSLproxy inserts into the first packet in the connection is the following:

SSLproxy: [127.0.0.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s

Header HTTPS Connection:

GET /pagead/gen_204?id=wfocus&gqid&qqid=CLPmw9v5vNsCFdZHhgod9kUO1A&fg=1 HTTP/1.1
SSLproxy: [127.0.0.1]:31165,[172.16.103.11]:45466,[172.217.30.2]:443,s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Referer: https://tpc.googlesyndication.com/safeframe/1-0-27/html/container.html
Cookie: IDE=AHWqTUmQsnYSkcFFQjeBSCtBQjykn62o5XiRzud06vFOVJnOHqiqe1F4lZWIXyRj;
Host: googleads.g.doubleclick.net
Via: squid/3.5.26-20170702-r14182
Cache-Control: max-age=0
Connection: keep-alive

More information:
https://github.com/sonertari/SSLproxy

MS Updated by Marco Silva about 7 years ago Actions
Copy link Download all files
 #7

Victor Julien wrote:

What is the header name and format? Can you add some examples?

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #8

  • Parent task set to #4122

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #9

VJ Updated by Victor Julien 6 months ago Actions
Copy link
 #10

  • Subject changed from Suricata read the SSLProxy header to sslproxy: handle HTTP header
Actions
Copy link

Also available in: PDF Atom