[Snort-users] Detection after decryption

Austad, Jay austad at ...432...
Mon Sep 25 13:15:59 EDT 2000

I've been wondering how hard something like this would be also.  We use a
little app that sniffs network traffic to generate webserver logs in one
place because our drives on our servers fill up so quickly with logs and
it's a pain to have to copy them off every day.  One of the problems with
this is that we can't sniff the SSL traffic.  If we could add openssh
support to the sniffer, and stick the private key into it, we'd be able to
grab logs for SSL.  Of course, it would require a hardware accelerator be
able to keep up.

I assume that adding this to snort would be roughly the same procedure.  I
haven't played with any of the openSSH stuff yet. 


-----Original Message-----
From: Erik Engberg [mailto:Erik.Engberg at ...511...]
Sent: Monday, September 25, 2000 11:35 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Detection after decryption


I haven´t seen this one up yet.

Just another crazy (?) idea:

Wouldn´t it be neat to have a preprocessor/module for OpenSSH and/or Apache
that does intrusion detection on the traffic after its been decrypted?

What would it take and would it be hard would to build?

Perhaps that would be more in the domain of hostbased IDS. Although I got
the "idea" when we started talking here @work about SSL accelerators and
that you could do full network analysis of the traffic after it decrypted in
the accelerator box and went unencrypted to the web server.

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list