does SSLproxy forward the SSL decrypted traffic to NIDS (for example to a suricata server) for analyze? is possible? #34
Comments
|
If your NIDS is a passive IDS, then you can use the mirroring options in SSLproxy. So you can send decrypted (emulated) packets to an IDS. See the documentation for MirrorIf and MirrorTarget options. Note that for mirroring you can also use SSLsplit instead of SSLproxy. If your NIDS is an active inline IPS, then you can use divert sockets support of your packet filter, such as the divert-packet rules in OpenBSD/pf. In fact, the UTMFW project configures pf with divert-packet rules to inspect the packets decrypted by SSLproxy and destined to UTM services. The configuration on UTMFW is for the loopback interface, but you can also divert decyrpted packets to a remote address, using the ua and ra proxyspec options, and then configure your IPS at that remote address to inspect those packets using divert sockets (but you may have to use a dummy listening program like lp in the sources, so that the listening program returns the packets to sslproxy listening on the ra address). See the README and other documentation for the related proxyspec options. |
does SSLproxy forward the SSL decrypted traffic to NIDS (for example to a suricata server) for analyze?
is possible?
The text was updated successfully, but these errors were encountered: