ecapture feed non encrypted http to IDS suricata? #392
Replies: 3 comments 2 replies
-
|
I haven't used IDS Suricata before, but I'm planning to send unencrypted HTTPS packets to a remote socket (like Charles proxy\ brup\ etc...). I'm also looking for protocol specifications for this type of software. If you know about these, please let me know. |
Beta Was this translation helpful? Give feedback.
-
|
IDS suricata has couple of ways to get raw packet data, it can get raw packet data from AF_PACKET, AF_XDP, DPDK...after getting the raw data, Suricata can decode these raw data with ethernet/ip/tcp/http protocol, there is no protocol communication facility for Suricata to communicate with other software |
Beta Was this translation helpful? Give feedback.
-
|
maybe this is close to what you are looking for in regard to protocol |
Beta Was this translation helpful? Give feedback.
-
|
Hello, do you have any new research results? |
Beta Was this translation helpful? Give feedback.
-
|
I don't think ecapture can help. As far as I'm aware, ecapture can only work when the TLS traffic is generated on the box running ecapture. The entire point of a NIDS like suricata is that it is seeing all network traffic between hosts on your local network and Internet hosts - ie the host running suricata is not the creator of the TLS traffic. If ecapture could "magically" decrypt TLS traffic between two other systems, that would kinda imply TLS is useless... |
Beta Was this translation helpful? Give feedback.
-
I think IDS suricata does not have the capability to decode SSL/TLS/https, since ecapture could and could write to pcap file, so it seems already passible to run IDS suricata in offline mode to read the pcap file created by ecapture, I am wonder though ecapture could feed the decrypted data to suricata lively? or maybe suricata need to add its own ecapture like capability ?
Beta Was this translation helpful? Give feedback.
All reactions