cpt_154228
Jun 26, 2017Nimbostratus
Sending a traffic feed of decrypted TLS traffic to an external intrusion detection system
I'm trying to set up an intrusion detection system (Suricata) which inspects TLS decrypted traffic from our f5 (of VIPs on which we do TLS offloading).
My initial thoughts were that I could simply set up 'clone pools' or 'interface mirroring' [1], but based on what I've read in some other posts [2], both of these options will only result in encrypted traffic being made available. And that's not what I'm after -- we want a decrypted feed.
What's the recommended approach for achieving this?
[1] https://support.f5.com/csp/article/K13392 [2] https://devcentral.f5.com/questions/ssl-decryption-to-ids , https://devcentral.f5.com/questions/clone-pool-and-port-mirroring