Questions regarding proxy/logging

[swiftbird07]

Hello, I really like your project, especially the TLS decryption feature, but I have questions:

1. As I understand it, it is possible to inspect decrypted TLS traffic with suricata/snort with all the rules etc. right?

1.2) is there a feature for remote logging (especially the eve.json)?

2. Is it possible to just use SSLproxy to decrypt the traffic and mirroring the decrypted traffic to a Suricata server? In my case I just want to have an internet proxy (MyDevices <-> SSL Proxy <-> Internet) to monitor for malicious traffic and not block anything or something like that.

[sonertari]

I have developed the SSLproxy preprocessor for Snort, so that UTMFW uses Snort in active inline mode. This is not possible with Suricata yet, but there is a feature request to add SSLproxy support to Suricata.

SSLproxy can mirror decrypted traffic to a network interface, see the MirrorIf/MirrorTarget (-I/-T) options. See the man page for details. If you want to feed the decrypted traffic to a passive IDS, you can use those same options, but if that's all you need, perhaps you want to use the SSLsplit project instead (SSLsplit supports the same options).