[Snort-devel] RE: [Snort-users] Encrypted sessions

Abe L. Getchell abegetchell at ...243...
Wed Nov 28 07:13:02 EST 2001


> That would indeed be a kick ass pre/post processor to have!

It would probably have to be a preprocessor so things like the HTTP,
telnet, and RPC decode preprocessors can have a whack at the data before
it's matched against the sigs.  I can't think of any disadvantages of
making this a 'pre' as opposed to a 'post' processor.

> Hrm...  This brings to mind something--Sun and IBM are both 
> sporting Crypto Accelerator cards.  Intel (and 3com?) now 
> have a crypto chip built into some ethernet cards...  With 
> the benefit of those two bits of hardware, I wonder how much 
> saturation you would get?  If the key/algorithm is known, and 
> can have a decoder built for it, it should scream!  And no, 
> I'm not a Crypto Monkey, nor do I play one on T.V.  :)

A link to the Intel version:

http://www.intel.com/network/connectivity/products/pro100s_srvr_adapter.
htm

I was actually putting together an order for some equipment that would
be working with IPSec tunnels when these cards first came out, and
seriously looked into getting them to speed up the encryption/decryption
process.  At the time, however, they only supported Windows NT 4.0 &
Windows 2000 (which was not my OS of choice... Lots of holes... Stupid
disclosure 'policy'... Yadda yadda yadda... =) ), as well as only
supporting data encryption, not decryption.  Looking at Intel's web site
now, it looks like they have all the functionality built into the
drivers for all of the OS's they support... Even Linux! ;-)  Hopefully,
because the drivers now support this functionality, it would be possible
to tap into this for use in this scenario!  You're right, it would
scream!

If I were to start hammering away at adding something like this into the
Snort code (as soon as I finish with the fifteen other projects I have
going on right now), would there be any objections to adding in a
compile time option to allow for the utilization of specialized hardware
such as this NIC?  I know the developers here try and keep the code as
portable as possible, and it might complicate that a touch, but it would
be one of those 'don't use it if you don't want to' kind of features.
Thoughts?

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...243...





More information about the Snort-devel mailing list