[Snort-users] Detection after decryption
Erik.Engberg at ...511...
Tue Sep 26 07:15:04 EDT 2000
Sounds like a cool idea ;)
But while I´m at it couldn´t I just let the web/ssh server just relay the
decrypted "traffic" to a snort sensor on a secured segment?
I don´t see why this would be harder, although I must admit that I don´t
know the inner workings of SSL/SSH nor apache.
Of course I´m using open source... ;)
From: Dragos Ruiu [mailto:dr at ...381...]
Sent: den 26 september 2000 04:01
To: fyodor at ...123...; Fyodor; Erik Engberg
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Detection after decryption
Well if you are using open source (;-) you could
just patch your web server share session keys
with your IDS via an out of band ethernet segment
that is physically secured and preferrably dedicated.
On Mon, 25 Sep 2000, Fyodor wrote:
> ~ :
> ~ :I haven´t seen this one up yet.
> ~ :
> ~ :Just another crazy (?) idea:
> ~ :
> ~ :Wouldn´t it be neat to have a preprocessor/module for OpenSSH and/or
> ~ :that does intrusion detection on the traffic after its been decrypted?
> well there are a few points why I don't think it's going to be trivial:
> 1. OpenSSH and SSL use public crypto to exchange session keys so it would
> be technically impossible (if not, tell me how ;-)) to decrypt session
> until you are on one of communication endpoints and are able to access
> secret keys.
> 2. If you have access to these keys, decryption will take snort process
> certain cpu time, which may cause certain packets loss. (should not be a
> problem in `offline' monitoring, i.g. from tcpdump file :-))
> just a couple of thoughts.. ;-)
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Dragos Ruiu <dr at ...50...> dursec.com ltd. / kyx.net - we're from the
gpg/pgp key on file at wwwkeys.pgp.net
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users