[Snort-users] Queries on Snort...

Hutchinson, Andrew Andrew.Hutchinson at ...3639...
Fri Aug 30 06:38:05 EDT 2002

If you require decoding encrypted traffic - and I'm assuming that you're
mainly concerned with ssl to your web servers, here - you should
probably look at getting an ssl proxy, and placing your IDS behind that
to watch for http attacks.  If you have high traffic web servers,
that'll take the encryption processing off the web servers, and will
also allow you to decode the encrypted traffic.

-----Original Message-----
From: Poppi, Sandro [mailto:Sandro.Poppi at ...3316...] 
Sent: Friday, August 30, 2002 5:50 AM
To: 'P.Balasubramaniam'; snort-users at lists.sourceforge.net
Subject: AW: [Snort-users] Queries on Snort...

> Hi,
> I am suggesting Snort for Intrusion Detection requirement. I
> do not know
> whether the following are supported in Snort. Can you help on these
> queries?
> 1. Does Snort support capturing and decoding encrypted traffic?

Capturing yes, but not decoding since it would be necessary to have the
private key of the recipient which you normally would not install on the
snort box ;)

> 2. Does Snort support playback of stored packets?

If you save packets in pcap format snort can read and interpret it as if
the packets where sent over the network snort listens.
> 3. Can Snort do intrusion prevention like if an intrusion occurs, it 
> respond to the attack.

Yes, using the so-called "flexible response" feature.


This sf.net email is sponsored by: OSDN - Tired of that same old cell
phone?  Get a new here for FREE!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list