[Snort-users] Detection after decryption
dr at ...381...
Mon Sep 25 22:00:49 EDT 2000
Well if you are using open source (;-) you could
just patch your web server share session keys
with your IDS via an out of band ethernet segment
that is physically secured and preferrably dedicated.
On Mon, 25 Sep 2000, Fyodor wrote:
> ~ :
> ~ :I haven´t seen this one up yet.
> ~ :
> ~ :Just another crazy (?) idea:
> ~ :
> ~ :Wouldn´t it be neat to have a preprocessor/module for OpenSSH and/or Apache
> ~ :that does intrusion detection on the traffic after its been decrypted?
> well there are a few points why I don't think it's going to be trivial:
> 1. OpenSSH and SSL use public crypto to exchange session keys so it would
> be technically impossible (if not, tell me how ;-)) to decrypt session
> until you are on one of communication endpoints and are able to access
> secret keys.
> 2. If you have access to these keys, decryption will take snort process
> certain cpu time, which may cause certain packets loss. (should not be a
> problem in `offline' monitoring, i.g. from tcpdump file :-))
> just a couple of thoughts.. ;-)
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Dragos Ruiu <dr at ...50...> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net
More information about the Snort-users