[Snort-devel] [ekr at ...168...: Re: format string in ssl dump]

Martin Roesch roesch at ...48...
Tue Dec 19 17:29:47 EST 2000


Hi Tood, et al.

I think modularizing ssldump for easy inclusion into Snort and other projects
is probably the way to go.  I really see this as an application layer decoder,
which is something we hope to introduce into follow-on versions of Snort
(modular decoder plugin architecture).  Basically what I'm imagining that we'd
like to do is to treat it as a decoder plugin to Snort which would fill in
various data structs that would then be passed to the detection elements of
the system.  

Sounds reasonable?  I'm not sure if this is what Fyodor is thinking, but it
sounds pretty reasonable to me. :)

   -Marty

Todd Lewis wrote:
> 
> Snort fellas, can we get some answers on this topic?  With just a little
> direction, we could get some work done here...
> 
> (I hope everyone's not gone for Xmas.)
> 
> --
> Todd Lewis                                       tlewis at ...120...
> 
>   God grant me the courage not to give up what I think is right, even
>   though I think it is hopeless.          - Admiral Chester W. Nimitz
> 
> On Tue, 19 Dec 2000, Eric Rescorla wrote:
> 
> > > Did this discussion die or go private?
> > I still haven't heard anything.
> >
> > -Ekr
> >
> > > --
> > > Todd Lewis                                       tlewis at ...120...
> > >
> > >   God grant me the courage not to give up what I think is right, even
> > >   though I think it is hopeless.          - Admiral Chester W. Nimitz
> > >
> > > On Sat, 16 Dec 2000, Eric Rescorla wrote:
> > >
> > > > > I am not sure that I quite understand what you are wanting to do, but
> > > > > from the messages I've seen, I think that there may be some overlap with
> > > > > my work.  Let me run it past you and get your feedback.
> > > > Probably the first question to ask is what Fyodor had in mind when he
> > > > suggested that I "integrate ssldump into snort"?
> > > >
> > > > I had sort of assumed that the idea here would be that I would
> > > > modularize ssldump in such a way that snort's packet acquisition
> > > > engine could pass packets to ssldump for interpretation/expansion
> > > > and then pass the expanded view to the intrusion detection engine.
> > > >
> > > > Fyodor, is this what you had in mind?
> > > >
> > > > -Ekr
> > > >
> > > > [Eric Rescorla                                   ekr at ...168...]
> > > >
> > >
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-devel
> >
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list