Re: Deep Packet Inspection
Well. You can't really open "decipher" ssl without changing certificate, but you can exclude some sites from ssl bumping.
Thank you all for suggestions.
Yes, I didn't tell my goal. First of course is to limit access to web sites and collect statistics. Yes this could be done with squid and ssl_bump. I
hope this does not change certificate as internet-banking will not work. The problem for a quick implementation is with need of squid recompile to
The second goal is intercept packets on other ports for limiting services, like skype, teamviewer (especially).
For now I use iptables -m string --algo kmp --to 65535 --string to intercept some strings on conenction and block access to some sites by domain name.
But this will not allow me to block access to all sites and allow access to only several sites.
I was looking for a quick implementation.
l7filter was interesting for me, but it is not supported anymore. nDPI scares me with patching kernel. And OpenDPI is not in repository.
I will try to implement OpenDPI by compiling, also as squid, but this is a long process.
As I read for snort, suricata, zorp - it is a self contained firewall. I use a standard Debian installation where I run several different services.