[Snort-users] Encrypted sessions
maylor at ...1991...
Tue Nov 27 14:32:04 EST 2001
That would be neat, if there was a way of telling snort about the
existance of a private RSA key that it had read access to, so it could
reverse engineer the public key exchange it was watching...am I
oversimplifying? My understanding was that, if you had the private key
(and presumably the password used to encrypt it), then you'd be able to
decode any traffic using that key. Am I incorrect?
From: Erek Adams [mailto:erek at ...577...]
Sent: Tuesday, November 27, 2001 3:31 PM
To: Chr. v. Stuckrad
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Encrypted sessions
On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:
> *grin* there is another problem with 'encryption':
> I've seen a thing like an IRC-Bot used as DDOS Command-Center
> and communicating via an encrypted stream to the hacked host...
> No chance to see anything, except if the key is already known.
Right! But I was (pardon the pun) 'keying off' on the fact it was 'our
mailservers/webservers'. I made the assumption that they had they keys.
> But how? If for example you would want to look for specific bad
> (we had that with ssh1) and you want to find logins via ssh, you only
> get the fact, that there IS a connection, no contents (else ssh would
> useless anyway).
Right again! If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13,
you've got a bit of a chance. :) But if it's something akin to
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3457 bytes
Desc: not available
More information about the Snort-users