[Snort-devel] RE: [Snort-users] Encrypted sessions
erek at ...105...
Tue Nov 27 22:58:01 EST 2001
On Wed, 28 Nov 2001, Abe L. Getchell wrote:
> What I would love to see is a crypto feature built into Snort much like
> has been built into tcpdump (compiled using './configure --with-crypto'
> and used at run-time using 'tcpdump -E <stuff>'), with a little more
> flexibility (more algorithm options, better support for the ESP RFC's,
> etc). If the correct key or passphrase is known, it could be provided
> to Snort at run-time, traffic could be decrypted on the fly by a
> preprocessor, and the clear text data checked against the rule set being
That would indeed be a kick ass pre/post processor to have!
> The one major drawback I see to this approach is the possibility of
> processor saturation. A Snort box in a high-traffic environment already
> has it's hands full checking packets against the large number of sigs
> common in networks such as these. Chances are, it wouldn't have many
> free proc cycles to perform such a processor intensive task as
> decrypting data. This feature would thus only be useful in a
> low-traffic environment without introducing a packet loss problem.
Hrm... This brings to mind something--Sun and IBM are both sporting Crypto
Accelerator cards. Intel (and 3com?) now have a crypto chip built into some
ethernet cards... With the benefit of those two bits of hardware, I wonder
how much saturation you would get? If the key/algorithm is known, and can
have a decoder built for it, it should scream! And no, I'm not a Crypto
Monkey, nor do I play one on T.V. :)
More information about the Snort-devel