Feature #2513
open
Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption tools
Suricata read the SSLProxy header
Added by Marco Silva over 6 years ago.
Updated about 4 years ago.
Description
Hello. is it possible to implement in the suricata for it to read the SSLProxy header to get the source and destination correctly?
UTMFW supports the deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL / TLS encrypted traffic is decrypted by SSLproxy and fed into the UTM services: Web Filter, HTTP Proxy, POP3 Proxy, SMTP Proxy, Virus Scanner, Spam Filter, and Inline IPS.
https://github.com/sonertari/SSLproxy
https://github.com/sonertari/UTMFW
Files
Related issues
1 (1 open — 0 closed)
- Assignee changed from Jason Ish to OISF Dev
- Effort set to medium
- Difficulty set to medium
- Project changed from Suricata-Update to Suricata
- Target version set to TBD
- Assignee changed from OISF Dev to Anonymous
- Status changed from New to Feedback
What is the header name and format? Can you add some examples?
- Assignee set to Community Ticket
Victor Julien wrote:
What is the header name and format? Can you add some examples?
A sample line SSLproxy inserts into the first packet in the connection is the following:
SSLproxy: [127.0.0.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s
Header HTTPS Connection:
GET /pagead/gen_204?id=wfocus&gqid&qqid=CLPmw9v5vNsCFdZHhgod9kUO1A&fg=1 HTTP/1.1
SSLproxy: [127.0.0.1]:31165,[172.16.103.11]:45466,[172.217.30.2]:443,s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Referer: https://tpc.googlesyndication.com/safeframe/1-0-27/html/container.html
Cookie: IDE=AHWqTUmQsnYSkcFFQjeBSCtBQjykn62o5XiRzud06vFOVJnOHqiqe1F4lZWIXyRj;
Host: googleads.g.doubleclick.net
Via: squid/3.5.26-20170702-r14182
Cache-Control: max-age=0
Connection: keep-alive
More information:
https://github.com/sonertari/SSLproxy
Victor Julien wrote:
What is the header name and format? Can you add some examples?
- Related to Feature #4965: Suricata should detect application layer protocol underneath SOCKS added
Also available in: Atom
PDF