[Snort-users] Encrypted sessions

Michael Aylor maylor at ...1991...
Tue Nov 27 14:32:04 EST 2001

That would be neat, if there was a way of telling snort about the
existance of a private RSA key that it had read access to, so it could
reverse engineer the public key exchange it was watching...am I
oversimplifying?  My understanding was that, if you had the private key
(and presumably the password used to encrypt it), then you'd be able to
decode any traffic using that key.  Am I incorrect?


-----Original Message-----
From: Erek Adams [mailto:erek at ...577...]
Sent: Tuesday, November 27, 2001 3:31 PM
To: Chr. v. Stuckrad
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Encrypted sessions

On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:

> *grin* there is another problem with 'encryption':
> I've seen a thing like an IRC-Bot used as DDOS Command-Center
> and communicating via an encrypted stream to the hacked host...
> No chance to see anything, except if the key is already known.

Right!  But I was (pardon the pun) 'keying off' on the fact it was 'our
mailservers/webservers'.  I made the assumption that they had they keys.

> But how?  If for example you would want to look for specific bad
> (we had that with ssh1) and you want to find logins via ssh, you only
> get the fact, that there IS a connection, no contents (else ssh would
> useless anyway).

Right again!  If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13,
you've got a bit of a chance.   :)  But if it's something akin to

Erek Adams

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3457 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011127/9911548d/attachment.bin>

More information about the Snort-users mailing list