[Snort-users] Detection after decryption

Dragos Ruiu dr at ...381...
Mon Sep 25 22:00:49 EDT 2000


Well if you are using open source (;-) you could
just patch your web server share session keys 
with your IDS via an out of band ethernet segment
that is physically secured and preferrably dedicated.

cheers,
--dr

On Mon, 25 Sep 2000, Fyodor wrote:
> ~ :
> ~ :I haven´t seen this one up yet.
> ~ :
> ~ :Just another crazy (?) idea:
> ~ :
> ~ :Wouldn´t it be neat to have a preprocessor/module for OpenSSH and/or Apache
> ~ :that does intrusion detection on the traffic after its been decrypted?
> 
> well there are a few points why I don't think it's going to be trivial:  
> 1. OpenSSH and SSL use public crypto to exchange session keys so it would
> be technically impossible (if not, tell me how ;-)) to decrypt session
> until you are on one of communication endpoints and are able to access
> secret keys.  
> 2. If you have access to these keys, decryption will take snort process
> certain cpu time, which may cause certain packets loss. (should not be a
> problem in `offline' monitoring, i.g. from tcpdump file :-))
> 
> 
> just a couple of thoughts.. ;-)
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net



More information about the Snort-users mailing list