[Snort-users] Encrypted sessions
erek at ...577...
Tue Nov 27 13:14:05 EST 2001
On Tue, 27 Nov 2001, Ronneil Camara wrote:
> How does snort deal with encrypted communication. Let say, I would to
> monitor https connection to my web server or we've got an encrypted
> connection to other mail server. Would snort know about those attacks?
No problem--If you've got the SSL key, that is! :)
> This is what the big vendor company mentioned to me about snort's
*sigh* I just love marketing/sales techno-babble. Not!
If it's encrypted traffic, to examine the traffic you would have to decode it.
If you have the keys then you can hookup ssldump (I think that's the
name--Have to check my notes at home.) and pipe the data into snort. Snort
can then tell you anything about it. :)
Also look into SPADE. SPADE does among other things, anomaly detection. You
can use that to see when you have a spike in certain type of activity.
Anyone else got a better way to play with encryption? I'm looking for new
More information about the Snort-users