[Snort-users] Detection after decryption

Erik Engberg Erik.Engberg at ...511...
Tue Sep 26 07:15:04 EDT 2000


Sounds like a cool idea ;)

But while I´m at it couldn´t I just let the web/ssh server just relay the
decrypted "traffic" to a snort sensor on a secured segment?
I don´t see why this would be harder, although I must admit that I don´t
know the inner workings of SSL/SSH nor apache.

Of course I´m using open source... ;)

/Erik

-----Original Message-----
From: Dragos Ruiu [mailto:dr at ...381...]
Sent: den 26 september 2000 04:01
To: fyodor at ...123...; Fyodor; Erik Engberg
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Detection after decryption


Well if you are using open source (;-) you could
just patch your web server share session keys 
with your IDS via an out of band ethernet segment
that is physically secured and preferrably dedicated.

cheers,
--dr

On Mon, 25 Sep 2000, Fyodor wrote:
> ~ :
> ~ :I haven´t seen this one up yet.
> ~ :
> ~ :Just another crazy (?) idea:
> ~ :
> ~ :Wouldn´t it be neat to have a preprocessor/module for OpenSSH and/or
Apache
> ~ :that does intrusion detection on the traffic after its been decrypted?
> 
> well there are a few points why I don't think it's going to be trivial:  
> 1. OpenSSH and SSL use public crypto to exchange session keys so it would
> be technically impossible (if not, tell me how ;-)) to decrypt session
> until you are on one of communication endpoints and are able to access
> secret keys.  
> 2. If you have access to these keys, decryption will take snort process
> certain cpu time, which may cause certain packets loss. (should not be a
> problem in `offline' monitoring, i.g. from tcpdump file :-))
> 
> 
> just a couple of thoughts.. ;-)
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the
future 
gpg/pgp key on file at wwwkeys.pgp.net
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list