[Snort-users] Encrypted sessions

Erek Adams erek at ...577...
Tue Nov 27 13:14:05 EST 2001


On Tue, 27 Nov 2001, Ronneil Camara wrote:

> How does snort deal with encrypted communication. Let say, I would to
> monitor https connection to my web server or we've got an encrypted
> connection to other mail server. Would snort know about those attacks?

No problem--If you've got the SSL key, that is!  :)

> This is what the big vendor company mentioned to me about snort's
> weakness.

*sigh*  I just love marketing/sales techno-babble.  Not!

If it's encrypted traffic, to examine the traffic you would have to decode it.
If you have the keys then you can hookup ssldump (I think that's the
name--Have to check my notes at home.) and pipe the data into snort.  Snort
can then tell you anything about it. :)

Also look into SPADE.  SPADE does among other things, anomaly detection.  You
can use that to see when you have a spike in certain type of activity.

Anyone else got a better way to play with encryption?  I'm looking for new
ideas!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list