[Snort-users] Detection after decryption

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 14:47:22 EDT 2000

I like the concept of having the key on the sniffer as well as on the
webserver/accelerator. I must admit that I hadn´t thought of that yet (well
on my way though ;)).
That would be really neat (as a preprocessor?) and I guess not too hard to
implement, although it´d take a lot of CPU I guess. 
But as long as you don´t have too much ssl traffic to your webservers you
should do well without the accelerator. And if you don´t want to shell out a
fortune on a hw accelerator you could always have the decryption done on a
separate box and feed snort the unencrypted traffic, or just have a separate
snort box just doing detection on SSL.


-----Original Message-----
From: Austad, Jay [mailto:austad at ...432...]
Sent: den 25 september 2000 19:16
To: 'Erik Engberg'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Detection after decryption

I've been wondering how hard something like this would be also.  We use a
little app that sniffs network traffic to generate webserver logs in one
place because our drives on our servers fill up so quickly with logs and
it's a pain to have to copy them off every day.  One of the problems with
this is that we can't sniff the SSL traffic.  If we could add openssh
support to the sniffer, and stick the private key into it, we'd be able to
grab logs for SSL.  Of course, it would require a hardware accelerator be
able to keep up.

I assume that adding this to snort would be roughly the same procedure.  I
haven't played with any of the openSSH stuff yet. 


-----Original Message-----
From: Erik Engberg [mailto:Erik.Engberg at ...511...]
Sent: Monday, September 25, 2000 11:35 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Detection after decryption


I haven´t seen this one up yet.

Just another crazy (?) idea:

Wouldn´t it be neat to have a preprocessor/module for OpenSSH and/or Apache
that does intrusion detection on the traffic after its been decrypted?

What would it take and would it be hard would to build?

Perhaps that would be more in the domain of hostbased IDS. Although I got
the "idea" when we started talking here @work about SSL accelerators and
that you could do full network analysis of the traffic after it decrypted in
the accelerator box and went unencrypted to the web server.

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list