Suricata: Intrusion Detection and Security Flaws

Samy · January 30, 2020, 2:16pm

Kudos to @ [LTS_Tom for the Good work on pfSense, Networking and Security. Your videos has really we the start ups.
Well after viewing the videos on how IIDS/IPS systems like Suricata in that they cannot catch threats in packets of a encrypted/secured transmitted traffic in the network then what can one do to mitigate such threats else then what is the need of setting Suricata and signing up the premium rulesets to be used by them when nowadays all network traffic are secured especially https traffic.

Is there a solution to this? Can someone help out. Thanks

LTS_Tom · January 30, 2020, 3:27pm

The solution is to be more focused where you have visibility, which is at the endpoint.

Samy · January 30, 2020, 3:40pm

But Tom traffic at to and from endpoints are now or mostly encrypted and in https, unless I do not get what you are trying to say. Can you throw more light please

LTS_Tom · January 30, 2020, 5:00pm

Tools such Windows Defender, Sentinel One and Malwarebytes are all examples of workstation endpoint protection.

Samy · January 30, 2020, 5:17pm

Oh ok, I now get you. So what about protection of the edge box (pfSense) which package can help protect these threat being transmitted on encrypted traffic from coming to the inside network.

LTS_Tom · January 30, 2020, 5:44pm

There is no guarantee that you can, it’s all best effort.

BuckeyeNet · January 31, 2020, 1:13am

There are some tools that look for signs of suspect communications.

RITA
HoneyBadger
ADHD

Here’s the video I learned about them from John Strand, Keynote: A Hunting We Must Go | KringleCon 2019 Worth watching, and it has some humorous parts. This was part of the SANS Holiday Hacking Challenge 2019.

LTS_Tom · January 31, 2020, 10:26am

Here is a link to RITA

Also https://securityonion.net/ is a good tool for analysts when trying to trace out connections that look suspicious.

But both of these are still more reactive/informative and not as preventive.

Samy · January 31, 2020, 10:41am

Thanks @BuckeyeNet and @LTS_Tom. So does it mean that as we speak there is no preventive IDS/IPS package for pfSense as an edge device that can decipher encrypted traffic coming into the network ?

LTS_Tom · January 31, 2020, 10:46am

Technically, you could install signed certificates in each endpoint device and in pfsense that would allow visibility into some connections that are using TLS below version 1.3, but as more sites move to that you lose visibility.

Samy · January 31, 2020, 3:32pm

I have realised there is an update of Suricata 4.1.6. @LTS_Tom have you checked it out yet

LTS_Tom · January 31, 2020, 5:41pm

it works, here is the update list https://suricata-ids.org/2019/12/13/suricata-4-1-6-released/