[Snort-devel] RE: [Snort-users] Encrypted sessions

Erek Adams erek at ...105...
Tue Nov 27 22:58:01 EST 2001

On Wed, 28 Nov 2001, Abe L. Getchell wrote:


> What I would love to see is a crypto feature built into Snort much like
> has been built into tcpdump (compiled using './configure --with-crypto'
> and used at run-time using 'tcpdump -E <stuff>'), with a little more
> flexibility (more algorithm options, better support for the ESP RFC's,
> etc).  If the correct key or passphrase is known, it could be provided
> to Snort at run-time, traffic could be decrypted on the fly by a
> preprocessor, and the clear text data checked against the rule set being
> used.

That would indeed be a kick ass pre/post processor to have!

> The one major drawback I see to this approach is the possibility of
> processor saturation.  A Snort box in a high-traffic environment already
> has it's hands full checking packets against the large number of sigs
> common in networks such as these.  Chances are, it wouldn't have many
> free proc cycles to perform such a processor intensive task as
> decrypting data.  This feature would thus only be useful in a
> low-traffic environment without introducing a packet loss problem.

Hrm...  This brings to mind something--Sun and IBM are both sporting Crypto
Accelerator cards.  Intel (and 3com?) now have a crypto chip built into some
ethernet cards...  With the benefit of those two bits of hardware, I wonder
how much saturation you would get?  If the key/algorithm is known, and can
have a decoder built for it, it should scream!  And no, I'm not a Crypto
Monkey, nor do I play one on T.V.  :)

Erek Adams

More information about the Snort-devel mailing list