[Snort-users] Encrypted sessions

Abe L. Getchell abegetchell at ...530...
Tue Nov 27 21:34:02 EST 2001


Hi Neil,

Snort would never see the attacks in the encrypted communications
between the two hosts.  The data of a packet which contains an attack
(should it be a web-based attack utilizing SSL or an attack against
telnetd through an IPSec tunnel) would simply look like garbled data to
your Snort sensor.

What I would love to see is a crypto feature built into Snort much like
has been built into tcpdump (compiled using './configure --with-crypto'
and used at run-time using 'tcpdump -E <stuff>'), with a little more
flexibility (more algorithm options, better support for the ESP RFC's,
etc).  If the correct key or passphrase is known, it could be provided
to Snort at run-time, traffic could be decrypted on the fly by a
preprocessor, and the clear text data checked against the rule set being
used.

The one major drawback I see to this approach is the possibility of
processor saturation.  A Snort box in a high-traffic environment already
has it's hands full checking packets against the large number of sigs
common in networks such as these.  Chances are, it wouldn't have many
free proc cycles to perform such a processor intensive task as
decrypting data.  This feature would thus only be useful in a
low-traffic environment without introducing a packet loss problem.

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Ronneil Camara
> Sent: Tuesday, November 27, 2001 3:53 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Encrypted sessions
> 
> 
> How does snort deal with encrypted communication. Let say, I
> would to monitor https connection to my web server or we've 
> got an encrypted connection to other mail server. Would snort 
> know about those attacks?
> 
> This is what the big vendor company mentioned to me about
> snort's weakness.
> 
> Thanks.
> 
> Neil
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 





More information about the Snort-users mailing list