[Snort-users] Encrypted sessions

Mike Shaw mshaw at ...3165...
Tue Nov 27 13:26:04 EST 2001


No network based IDS is going to be able to see a signature in an encrypted 
session of any kind.  That goes for Snort or any commercial network 
IDS.  If they could see encrypted traffic, so could any eavesdropper.

The vendor may be trying to sell you a host based IDS/integrity checker, in 
which case it's apples and oranges.  Host based and network based IDS are 
two different animals, and should be used to compliment not replace each other.

The vendor could also be conveniently omitting that their own NIDS doesn't 
work with encrypted traffic.  The ol' Jedi mind trick.

-Mike

At 02:53 PM 11/27/2001 -0600, Ronneil Camara wrote:
>How does snort deal with encrypted communication. Let say, I would to
>monitor https connection to my web server or we've got an encrypted
>connection to other mail server. Would snort know about those attacks?
>
>This is what the big vendor company mentioned to me about snort's
>weakness.
>
>Thanks.
>
>Neil
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list






More information about the Snort-users mailing list