[Snort-devel] [ekr at ...168...: Re: format string in ssl dump]

Eric Rescorla ekr at ...168...
Tue Dec 19 17:55:25 EST 2000


Todd Lewis:
> On Tue, 19 Dec 2000, Martin Roesch wrote:
> > Basically what I'm imagining that we'd
> > like to do is to treat it as a decoder plugin to Snort which would fill in
> > various data structs that would then be passed to the detection elements of
> > the system.  
> > 
> > Sounds reasonable?  I'm not sure if this is what Fyodor is thinking, but it
> > sounds pretty reasonable to me. :)
> 
> I want to make sure that I understand first.  What would the API for
> this look like?  Where would this plug in?
This is pretty much the answer I'm looking for as well.

I sort of envision there being two interfaces to ssldump, an "in" and
an "out". One passes SSL data into the in interface and the 
decoded and decrypted traffic appears on the out interface.

IN
ssldump is relatively modular so one could either wire it up directly
to the network and let it handle TCP reassemble or pass it reassembled
TCP data as it becomes available. 

OUT
Currently I don't have anything implemented here. ssldump just handles
the traffic internally, but having a modular out interface is on
my TODO list for other reasons. The primary problem has to do with
output of the parsed SSL traffic. The plaintext itself is no
problem because it's basically unstructured. However, the SSL
handshake contains quite a bit of strutured data and I need to cook up
output interface for this data.

As you can see, there's a lot of leeway here so I need to have some idea 
of what snort is going to expect.

-Ekr








More information about the Snort-devel mailing list