[Snort-devel] Possible issues with SSl Preprocessor?
l0rdch0de1m0rt at ...2499...
Fri Aug 5 09:56:12 EDT 2011
Hello. I have what may be a issue with the SSL pre-processor
consuming processors cycles for encrypted traffic. The Snort is
In my snort.conf I have the following line:
preprocessor ssl: noinspect_encrypted
When I start snort I run this:
# snort -c /etc/snort/snort.conf -u pcap -D -k none --daq afpacket -b
-i eth0 "port 443"
Most of alls the traffic this should see is SSL and it should not be
inspected after the snort determines it is SSL due to the 4-way
HOWEVER, this process is consuming 75-100% of my processor. I
thought once the snort realized it was SSl (encrypted), it would not
enspect that stream anymore. But then why so much processor usage?
Yes there is a lot of SSL traffic but just looking at 7 packets per
stream (maybe a few more depending on fragmentation, window size, and
PSH flags, etc.) does not seem logical to me to use so much of the
Thank you for any insights.
More information about the Snort-devel