[Snort-users] Detection after decryption

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 12:35:15 EDT 2000


Hi,

I haven´t seen this one up yet.

Just another crazy (?) idea:

Wouldn´t it be neat to have a preprocessor/module for OpenSSH and/or Apache
that does intrusion detection on the traffic after its been decrypted?

What would it take and would it be hard would to build?

Perhaps that would be more in the domain of hostbased IDS. Although I got
the "idea" when we started talking here @work about SSL accelerators and
that you could do full network analysis of the traffic after it decrypted in
the accelerator box and went unencrypted to the web server.

/Erik



More information about the Snort-users mailing list