Suricata: Intrusion Detection and Security Flaws

Kudos to @ [LTS_Tom for the Good work on pfSense, Networking and Security. Your videos has really we the start ups.
Well after viewing the videos on how IIDS/IPS systems like Suricata in that they cannot catch threats in packets of a encrypted/secured transmitted traffic in the network then what can one do to mitigate such threats else then what is the need of setting Suricata and signing up the premium rulesets to be used by them when nowadays all network traffic are secured especially https traffic.

Is there a solution to this? Can someone help out. Thanks

The solution is to be more focused where you have visibility, which is at the endpoint.

But Tom traffic at to and from endpoints are now or mostly encrypted and in https, unless I do not get what you are trying to say. Can you throw more light please

Tools such Windows Defender, Sentinel One and Malwarebytes are all examples of workstation endpoint protection.

Oh ok, I now get you. So what about protection of the edge box (pfSense) which package can help protect these threat being transmitted on encrypted traffic from coming to the inside network.

There is no guarantee that you can, it’s all best effort.

There are some tools that look for signs of suspect communications.


Here’s the video I learned about them from John Strand, Keynote: A Hunting We Must Go | KringleCon 2019 Worth watching, and it has some humorous parts. This was part of the SANS Holiday Hacking Challenge 2019.

Here is a link to RITA

Also is a good tool for analysts when trying to trace out connections that look suspicious.

But both of these are still more reactive/informative and not as preventive.

Thanks @BuckeyeNet and @LTS_Tom. So does it mean that as we speak there is no preventive IDS/IPS package for pfSense as an edge device that can decipher encrypted traffic coming into the network ?

Technically, you could install signed certificates in each endpoint device and in pfsense that would allow visibility into some connections that are using TLS below version 1.3, but as more sites move to that you lose visibility.

I have realised there is an update of Suricata 4.1.6. @LTS_Tom have you checked it out yet

it works, here is the update list