[Snort-users] Encrypted sessions

Ju Kong Fui kongfui at ...3775...
Wed Nov 28 17:21:20 EST 2001

Having snort to decrypt traffic is not a good idea.
Putting snort before the encryption point/gateway is much easier to deal
with <-- working with the design of the network.
For end to end vpn tunnel, use host based IDS.

-----Original Message-----
From: Abe L. Getchell [mailto:abegetchell at ...530...] 
Sent: Wednesday, November 28, 2001 1:35 PM
To: 'Ronneil Camara'
Cc: snort-users at lists.sourceforge.net; snort-devel at lists.sourceforge.net
Subject: RE: [Snort-users] Encrypted sessions

Hi Neil,

Snort would never see the attacks in the encrypted communications between
the two hosts.  The data of a packet which contains an attack (should it be
a web-based attack utilizing SSL or an attack against telnetd through an
IPSec tunnel) would simply look like garbled data to your Snort sensor.

What I would love to see is a crypto feature built into Snort much like has
been built into tcpdump (compiled using './configure --with-crypto' and used
at run-time using 'tcpdump -E <stuff>'), with a little more flexibility
(more algorithm options, better support for the ESP RFC's, etc).  If the
correct key or passphrase is known, it could be provided to Snort at
run-time, traffic could be decrypted on the fly by a preprocessor, and the
clear text data checked against the rule set being used.

The one major drawback I see to this approach is the possibility of
processor saturation.  A Snort box in a high-traffic environment already has
it's hands full checking packets against the large number of sigs common in
networks such as these.  Chances are, it wouldn't have many free proc cycles
to perform such a processor intensive task as decrypting data.  This feature
would thus only be useful in a low-traffic environment without introducing a
packet loss problem.


Abe L. Getchell
Security Engineer
abegetchell at ...530...

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> Ronneil Camara
> Sent: Tuesday, November 27, 2001 3:53 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Encrypted sessions
> How does snort deal with encrypted communication. Let say, I would to 
> monitor https connection to my web server or we've got an encrypted 
> connection to other mail server. Would snort know about those attacks?
> This is what the big vendor company mentioned to me about snort's 
> weakness.
> Thanks.
> Neil
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list