Closed GhostNaix closed 11 months ago
This is from README:
If no filtering rules are defined for a proxyspec, all log actions for that proxyspec are enabled. Otherwise, all log actions are disabled, and filtering rules should enable them specifically.
I think this is not a bug, but probably not the best default behavior.
Can you add another rule like the following to that proxyspec: Match * log mirror
, so that the other connections are mirror logged (hopefully, if not then perhaps that's a bug).
Ah I see. Thank You and my appologies for wasting your time then, by adding Match * log mirror
to the proxyspec, this allowed the decrypted packets to be mirrored to the specified interface.
Also some notes I learned along the way:
Say you have some filter rules like the following:
-- Snip --
FilterRule {
Action Pass
SrcIp *
SNI .ui.com*
CN .ui.com*
}
-- Snip --
You must place it above the FilterRule as sslproxy reads the config sequentially like so:
-- Snip --
Match * log mirror
FilterRule {
Action Pass
SrcIp *
SNI .ui.com*
CN .ui.com*
}
-- Snip --
or like this:
-- Snip --
FilterRule {
Action Match
SrcIp *
Log mirror
}
FilterRule {
Action Pass
SrcIp *
SNI .ui.com*
CN .ui.com*
}
-- Snip --
PS: In Mirror/Split mode this is working with suricata v6.0.5 and higher although it may put strain on the interface you are capturing on.
Hi, I'm trying to operate SSLProxy with the listed config and believe I have encountered a bug. Whenever I enable FilterRule to whitelist a specific website (enable passthrough for particular sites or IPs) SSLproxy does not replay the decrypted traffic on the interface specified however when I comment the FilterRules out, SSLproxy returns decrypted traffic to the interface.
When the FilterRule is active, I know that the proxy is still decrypting trafffic because When I goto the security tab of chrome I can see the self signed certificate on other webistes other than the one I listed as a passthrough.
OS:
Ubuntu 22.04.3 LTS
Output of
sslproxy -V
:Output of
uname -a
:Linux UbuntuBox 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Exact command line arguments
sslproxy -f "/etc/SSLProxy/sslproxy.conf"
NAT redirection rules
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
Configuration of SSLproxy