[Snort-users] Encrypted sessions

Jason Haar Jason.Haar at ...294...
Tue Nov 27 13:56:05 EST 2001

On Tue, Nov 27, 2001 at 01:13:57PM -0800, Erek Adams wrote:
> On Tue, 27 Nov 2001, Ronneil Camara wrote:
> > How does snort deal with encrypted communication. Let say, I would to
> > monitor https connection to my web server or we've got an encrypted
> > connection to other mail server. Would snort know about those attacks?
> Anyone else got a better way to play with encryption?  I'm looking for new
> ideas!

Yup - don't encrypt it :-)

Seriously, encryption is too hard to do on the fly - so MOVE THE PROBLEM.
Terminate your SSL sessions on a reverse proxy (either commercial or
Squid-2.5 for instance), and then it'll talk HTTP to the backend Web servers.

Not only can your IDS detect attacks again, but you've moved an expensive
task off your Web servers onto something specifically installed to do SSL...


Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the Snort-users mailing list