[Snort-users] Queries on Snort...

Matt Kettler mkettler at ...4108...
Fri Aug 30 12:07:15 EDT 2002

I know Poppi already answered, but I also wanted to further make the point 
that if snort could decode the encrypted traffic from the position of being 
a simple wire-sniffer, your encryption would be worthless and you may as 
well not be using it.

The fundamental point of encryption (SSL, SSH, PGP etc) is to prevent 
someone who is eavesdropping from deciphering the data transferred without 
an unreasonable level of effort. Snort is an eavesdropper.

That said, if you have a higher-end PC you can brute-force 40-bit type SSL 
sessions in reasonable time (read: many hours of CPU work per key, but less 
than a month and still within the bounds of feasibility if you have a small 
number of sessions to decode.) Certainly not possible in real-time as a 
part of snort, but possible.

Breaking a 128-bit SSLv3/TLS session (and who in their right mind trusts a 
40 bit session?) with current PC hardware would take an insane amount of 
time, and for all practical purposes can be considered to be an impossible 
task (odds are the PC hardware will fail before it's even 0.1% done).

Even using all of distributed.net (assuming 300Gkey/sec which they are 
getting close to) it would take 35,942,991,748,521,060,268 years to exhaust 
a 128bit keyspace. (2^128 / 300G) / (60*60*24*365.25).

At 04:05 PM 8/30/2002 +0530, P.Balasubramaniam wrote:
>1. Does Snort support capturing and decoding encrypted traffic?

More information about the Snort-users mailing list