[Snort-devel] [ekr at ...168...: Re: format string in ssl dump]

Eric Rescorla ekr at ...168...
Wed Dec 20 00:12:23 EST 2000


> Eric Rescorla wrote:
> > 
> > Todd Lewis:
> > > On Tue, 19 Dec 2000, Martin Roesch wrote:
> > > > Basically what I'm imagining that we'd
> > > > like to do is to treat it as a decoder plugin to Snort which would fill in
> > > > various data structs that would then be passed to the detection elements of
> > > > the system.
> > > >
> > > > Sounds reasonable?  I'm not sure if this is what Fyodor is thinking, but it
> > > > sounds pretty reasonable to me. :)
> > >
> > > I want to make sure that I understand first.  What would the API for
> > > this look like?  Where would this plug in?
> > This is pretty much the answer I'm looking for as well.
> > 
> > I sort of envision there being two interfaces to ssldump, an "in" and
> > an "out". One passes SSL data into the in interface and the
> > decoded and decrypted traffic appears on the out interface.
> > 
> > IN
> > ssldump is relatively modular so one could either wire it up directly
> > to the network and let it handle TCP reassemble or pass it reassembled
> > TCP data as it becomes available.
> > 
> > OUT
> > Currently I don't have anything implemented here. ssldump just handles
> > the traffic internally, but having a modular out interface is on
> > my TODO list for other reasons. The primary problem has to do with
> > output of the parsed SSL traffic. The plaintext itself is no
> > problem because it's basically unstructured. However, the SSL
> > handshake contains quite a bit of strutured data and I need to cook up
> > output interface for this data.
> 
> In the existing system (Snort 1.X) we'd make this into a preprocessor like the
> http_decode plugin.  So what you'd get in is a decoded packet stream and what
> we'd expect out is the same packet with the encrypted payload "normalized"
> back into plaintext.
>
> The HTTP decode preprocessor plugin works in a similar fashion.  When it sees
> web traffic come in, it automatically examines this traffic looking for
> encoded URIs, then converts them to their ASCII equivalent in place in the
> packet data.  
> 
> Would this be a possibility or would it require too much entabglement with
> Snort plugin code?
I don't know how the snort plugin code works yet.



More information about the Snort-devel mailing list