Suricata/Squid Proxy Setup


As it is well known, Suricata is not able to inspect encrypted traffic but I understand that there is a workaround where squid proxy can be used to decrypt the traffic and then have Suricata monitor the relevant interface.

My questions are:

  1. Has anyone here actually implemented this setup, and more importantly, tested this to ensure that it works?

  2. I can not seem to find any guides specifically on how to implement this. I have searched the web and Youtube without luck.

I am new to this forum and I’m still not sure about the rules regarding the posting of external links but during my research, I came across an interesting page on the Zenarmor app website (I am not affiliated with them), which integrates with PFSense CE and OPNSense, relating to some planned features and it states that they are working on a feature to mirror decrypted traffic to third party tools like Suricata which would be great, if only it was available now.

Any help would be appreciated and as a new member, I was hoping to provide value first before asking questions, but hopefully I will be able to contribute more in due course.

I have done this in the past and it does work. The issue is that squid is being removed from pfsense because there are too many vulnerabilities and not enough contributors to fix them.

I can’t talk much about zenarmor because I haven’t used it but I know there are some users on this forum that have.

As more sites and services require certificate pinning, especially banking, it will become even more of a headache to manage.

I have video dedicated to the topic

Think about the risks of running such a complicated batch of code directly (not isolated) on your router. What could possibly go wrong?

The first issue is just how broken Squid is:

Agreed. Good video above too.

Second issue is running anything of this nature without virtualization is crazy.

Nobody in their right mind would install half the stuff in the pfsense repo directly on their server without a VM. But they happily do it on their core router.

I enjoy the dichotomies in life.

Many thanks for your feedback guys and for the links.

I have changed my mind about this setup. I agree that running something with numerous vulnerabilities (especially ones with publicly available CVEs) is a potential disaster and defeats the purpose of having a firewall in the 1st place, which is to stop breaches/exploits.

Back to the drawing board and I think that knowing the limitations of these firewalls, although slightly disappointing at times, is also an asset in terms of optimizing them for the things they can do best.

Typically DNS and IP block lists mitigate a good portion of threats outbound. If you NAT services externally then block all countries except the one you are in to reduce the risks inbound.

I’m not one to argue with an Emperor so I’ll definitely take this on board.

Other options to consider (or that I would consider):

  1. put all this stuff on an in-line box. Just do it off the router for all the good reasons. I am dubious the juice is worth the squeeze, but I’m open to be proven wrong.

  2. look into Adam Networks solution. This is against my nature to recommend a commercial product, but what they have sounds really cool. I would at least give them an hour to sell me on it. There is a long thread about this product in this forum.

  3. do what maximus suggested (what I do). Just live with good enough (becoming my life motto). If that bothers you, then look at client filters. Those are always better anyway.