Does Sruicata capture SSL/TLS traffic?

[Cantondy]

Hello,

I would like to know if, by default, Suricata captures SSL/TLS traffic (not necessarily decrypted). After several searches in the Security Onion documentation, I haven't found an answer.

Zeek gives me SSL traffic logs where I can see header information (source ip address, destinatrion, port, TLS version used) but it seems that Suricata doesn't detect any TLS traffic.

By creating a simple Suricata rule to capture all SSL traffic, no alert is generated in Security Onion, hence my question.

alert tls any any -> any any (msg: “TLS detected”; classtype:bad-unknown; sid:100000; rev:1; metadata:created_at 2024_12_05, signature_severity Informational, updated_at 2024_12_05;)

Is there any specific configuration to be done? Is it simply not possible to generate TLS alerts for Suricata?

Thanks !

[dougburks]

By default, Suricata should analyze SSL/TLS traffic as it sees it on the wire (encrypted, not cleartext). There are several rules in the default ruleset that alert on TLS traffic. For example:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Observed Zimbra zauthtoken Exfil Domain (zimbrauser .me in TLS SNI)"; flow:established,to_server; tls.sni; bsize:13; content:"zimbrauser.me"; fast_pattern; reference:url,twitter.com/__0XYC__/status/1753000391770317099; classtype:credential-theft; sid:2050660; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_02_01, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_02_01, reviewed_at 2024_05_06;)

If you have enabled a BPF for Suricata like not port 443 then that would prevent Suricata from seeing TLS traffic on port 443.

[Cantondy]

Hello,
I haven't activated any BPF for suricata.

To generate SSL/TLS traffic, I make requests via HTTPS in my browser. Is this the right way to proceed? I see the logs of this traffic in Security Onion under zeek.ssl, but no alerts are triggered.

For example, I tried to create another rule to detect the TLS version used, but again no alert was triggered despite the fact that I was indeed making a request with the TLS version corresponding to the rule.

alert tls $HOME_NET any -> any any (msg:"Weak TLS encryption suite detected"; tls.version:1.1; classtype:bad-unknown; sid:1000010; rev:1; metadata:created_at 2024_12_05, signature_severity Informational, updated_at 2024_12_05;)

It really seems that suricata isn't detecting any TLS traffic, or that my rules don't have the right triggers for my SSL/TLS requests.

[dougburks]

I tested your simple TLS rule from your initial post and it alerts as expected for me:

Try going through the Troubleshooting Alerts section of our documentation:
https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts

If you need further help, please provide the outcome of each troubleshooting step.

[Cantondy]

Hello,

While doing some more research and testing, I came across a post of a similar problem: https://groups.google.com/g/security-onion/c/Qoh9jlOi2_U

According to this post, it seems that the solution is to change the :

vlan
use-for-tracking 

to false.

So I made this change:

• Go to the GUI under Administration --> Configuration

• In the Option tab at the top, check show advanced settings

• Then go to the suricata tab --> config --> vlan --> use-for-tracking and set the value to false

And it actually worked, I'm now able to trigger alerts on SSL/TLS and HTTP traffic (the rule I gave earlier works).

This “vlan-for-tracking” option is used to tell Suricata to identify and track packets that cross a network with a specific VLAN or not.
So it seems to be a problem on the side of my infrastructure, or a compatibility problem between Security onion and certain infrastructures depending on their configuration.

I'll keep digging into the specifics of my infrastructure to find out exactly what the problem is.

[dougburks]

I've updated the docs to mention this:
Security-Onion-Solutions/securityonion-docs@61678de

[Cantondy]

Thanks for the update

I mark this issue as closed for the moment.