Hello everyone,
I would like to start a discussion about a topic that I believe is becoming increasingly important, especially when using Suricata in combination with OPNsense.
I am aware that for known malware there is already a lot of intelligence available (signatures, IPs, domains, behavioral indicators, etc.). However, a fundamental limitation still remains:
Most network traffic today is TLS-encrypted, which means Suricata cannot inspect large parts of the actual payload.
From a security perspective, this can be problematic. Even if malware is considered “known”, there may still be hidden or additional components, backdoors, or dynamically loaded payloads inside encrypted traffic that remain undetected simply because they cannot be inspected.
This leads me to the following questions and suggestions:
-
Would it make sense for OPNsense and Suricata developers to work more closely together on practical approaches for TLS decryption / inspection (e.g. SSL offloading, integration with proxies)?
-
Are there existing plans, recommendations, or best practices to enable deeper inspection while keeping performance, security, and privacy concerns in mind?
I fully understand that TLS inspection is complex and raises legal and privacy considerations (e.g. GDPR). Still, I think such capabilities could be extremely valuable, especially for security labs, enterprise environments, or honeypots, where visibility is critical.
I would be very interested in hearing your thoughts, experiences, or any existing solutions you may already be using.