HOWTO : Self-signed Certificate on Suricata

Problem



The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The encrypted SSL/TLS traffic requires signed certificate for decryption. Some malicious activities may use self-signed certificate for the SSL/TLS connection.



Solution



How we can do that? If you are running Suricata as IPS, you can do it very easy with the reference of this blog. The rule will detect self-signed certificate without concerning of port number.



Make sure you have configure the Suricata properly according to the blog.



You can also use this rule for other purpose too.



Quick Reference



self-signed-cert.lua



The suricata rule is :



alert tls any any -> any any (msg:"SURICATA TLS Self Signed Certificate"; flow:established; luajit:self-signed-cert.lua; tls.store; classtype:protocol-command-decode; sid:999666111; rev:1;)



HOWTO : LuaJIT on Suricata



That's all! See you.