[Snort-users] Detection after decryption

Fyodor fygrave at ...121...
Mon Sep 25 20:34:08 EDT 2000


~ :
~ :I haven╢t seen this one up yet.
~ :
~ :Just another crazy (?) idea:
~ :
~ :Wouldn╢t it be neat to have a preprocessor/module for OpenSSH and/or Apache
~ :that does intrusion detection on the traffic after its been decrypted?

well there are a few points why I don't think it's going to be trivial:  
1. OpenSSH and SSL use public crypto to exchange session keys so it would
be technically impossible (if not, tell me how ;-)) to decrypt session
until you are on one of communication endpoints and are able to access
secret keys.  
2. If you have access to these keys, decryption will take snort process
certain cpu time, which may cause certain packets loss. (should not be a
problem in `offline' monitoring, i.g. from tcpdump file :-))


just a couple of thoughts.. ;-)





More information about the Snort-users mailing list