[Snort-users] Queries on Snort...
mkettler at ...4108...
Fri Aug 30 12:07:15 EDT 2002
I know Poppi already answered, but I also wanted to further make the point
that if snort could decode the encrypted traffic from the position of being
a simple wire-sniffer, your encryption would be worthless and you may as
well not be using it.
The fundamental point of encryption (SSL, SSH, PGP etc) is to prevent
someone who is eavesdropping from deciphering the data transferred without
an unreasonable level of effort. Snort is an eavesdropper.
That said, if you have a higher-end PC you can brute-force 40-bit type SSL
sessions in reasonable time (read: many hours of CPU work per key, but less
than a month and still within the bounds of feasibility if you have a small
number of sessions to decode.) Certainly not possible in real-time as a
part of snort, but possible.
Breaking a 128-bit SSLv3/TLS session (and who in their right mind trusts a
40 bit session?) with current PC hardware would take an insane amount of
time, and for all practical purposes can be considered to be an impossible
task (odds are the PC hardware will fail before it's even 0.1% done).
Even using all of distributed.net (assuming 300Gkey/sec which they are
getting close to) it would take 35,942,991,748,521,060,268 years to exhaust
a 128bit keyspace. (2^128 / 300G) / (60*60*24*365.25).
At 04:05 PM 8/30/2002 +0530, P.Balasubramaniam wrote:
>1. Does Snort support capturing and decoding encrypted traffic?
More information about the Snort-users