Thursday, October 22, 2015

HOWTO : Self-signed Certificate on Suricata

Problem

The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The encrypted SSL/TLS traffic requires signed certificate for decryption. Some malicious activities may use self-signed certificate for the SSL/TLS connection.

Solution

How we can do that? If you are running Suricata as IPS, you can do it very easy with the reference of this blog. The rule will detect self-signed certificate without concerning of port number.

Make sure you have configure the Suricata properly according to the blog.

You can also use this rule for other purpose too.

Quick Reference

self-signed-cert.lua

The suricata rule is :

alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; flow:established; luajit:self-signed-cert.lua; tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)

HOWTO : LuaJIT on Suricata

That's all! See you.