[Snort-sigs] Common encrytpion Identification?

Matt Kettler mkettler at ...189...
Wed Oct 8 13:13:03 EDT 2003

At 09:08 AM 10/8/2003, Tony Hernandez wrote:
>Has anyone got any rules for detecting encryption types?

Can you define what you mean by "types" here?

  Are you trying to detect common protocols which use encryption, such as 
SSL, or are you trying to figure out what kind of encryption was used (ie: 
3des vs blowfish vs AES). The latter should be impossible from looking at 
the encrypted data itself, but might be possible for you to look in the 
protocol headers and know from those.. however, you'd need to know what the 
protocol format is.

AIM supports a built-in smime based encryption format. Some tools also 
support using PGP and just send text-format PGP encrypted messages.

Outside of things like the above it's very unusual for them to use any 
standard format. A lot of IM "encryption-add-on" type systems use 
home-brewed protocols coupled with some popular encryption algorithm like 
AES or blowfish. Some of them go as far as using a homebrewed encryption 
algorithm as well.

>  I took a look at the packets and they all begin with ".....=..._....E." 
> anyone have any ideas?

Are those really .'s in there, or is that just an ASCII representation of 
an unprintable character?

If they're using encryption, the packets are almost certainly binary, and 
you'll need to look at hex dumps and stop looking at the ASCII.

More information about the Snort-sigs mailing list