Project

General

Profile

Actions
Copy link

Feature #2513

open

Task #4122: tracking: handle various TLS decrypt headers in proxies and decryption tools

Suricata read the SSLProxy header

Added by Marco Silva over 6 years ago. Updated almost 4 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
medium
Difficulty:
medium
Label:

Description

Hello. is it possible to implement in the suricata for it to read the SSLProxy header to get the source and destination correctly?

UTMFW supports the deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL / TLS encrypted traffic is decrypted by SSLproxy and fed into the UTM services: Web Filter, HTTP Proxy, POP3 Proxy, SMTP Proxy, Virus Scanner, Spam Filter, and Inline IPS.

https://github.com/sonertari/SSLproxy

https://github.com/sonertari/UTMFW

Files

Download all files
log.pcap (11.1 KB) log.pcap pcap SSLproxy header Marco Silva, 03/07/2019 09:05 PM
log3.pcap (24.7 KB) log3.pcap pcap SSLproxy header Marco Silva, 03/07/2019 09:05 PM
log4.pcap (14.9 KB) log4.pcap pcap SSLproxy header Marco Silva, 03/07/2019 09:05 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #4965: Suricata should detect application layer protocol underneath SOCKSNewOISF DevActions
Actions
Copy link
 #1

Updated by Jason Ish over 6 years ago

  • Assignee changed from Jason Ish to OISF Dev
  • Effort set to medium
  • Difficulty set to medium
Actions
Copy link
 #2

Updated by Andreas Herz over 6 years ago

  • Project changed from Suricata-Update to Suricata
  • Target version set to TBD
Actions
Copy link
 #3

Updated by Victor Julien over 6 years ago

  • Assignee changed from OISF Dev to Anonymous
Actions
Copy link
 #4

Updated by Victor Julien over 5 years ago

  • Status changed from New to Feedback

What is the header name and format? Can you add some examples?

Actions
Copy link
 #5

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
Actions
Copy link
 #6

Updated by Marco Silva over 5 years ago

Victor Julien wrote:

What is the header name and format? Can you add some examples?

A sample line SSLproxy inserts into the first packet in the connection is the following:

SSLproxy: [127.0.0.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s

Header HTTPS Connection:

GET /pagead/gen_204?id=wfocus&gqid&qqid=CLPmw9v5vNsCFdZHhgod9kUO1A&fg=1 HTTP/1.1
SSLproxy: [127.0.0.1]:31165,[172.16.103.11]:45466,[172.217.30.2]:443,s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Referer: https://tpc.googlesyndication.com/safeframe/1-0-27/html/container.html
Cookie: IDE=AHWqTUmQsnYSkcFFQjeBSCtBQjykn62o5XiRzud06vFOVJnOHqiqe1F4lZWIXyRj;
Host: googleads.g.doubleclick.net
Via: squid/3.5.26-20170702-r14182
Cache-Control: max-age=0
Connection: keep-alive

More information:
https://github.com/sonertari/SSLproxy

Actions
Copy link Download all files
 #7

Updated by Marco Silva over 5 years ago

Victor Julien wrote:

What is the header name and format? Can you add some examples?

Actions
Copy link
 #8

Updated by Victor Julien almost 4 years ago

  • Parent task set to #4122
Actions
Copy link
 #9

Updated by Philippe Antoine 4 months ago

  • Related to Feature #4965: Suricata should detect application layer protocol underneath SOCKS added
Actions
Copy link

Also available in: Atom PDF