[Snort-users] monitoring https / SSL

Matt Kettler mkettler at ...4108...
Thu May 2 11:17:16 EDT 2002


Correct, and even more to the point, if snort COULD analyze the application 
layer data of https, then the whole point of using SSL in the first place 
would be lost.

It might be possible for snort to be given a copy of the private key half 
of the server's certificate (a security risk), and use that to decode 
messages to find out the SSL session key. I'm not that familiar with SSL 
that I can even say for sure that is possible.

Even assuming that snort can be given enough secret information to find out 
the session key, the decryption alone would likely slow snort down enough 
to drop packets now and then. Once it lost one packet in a SSL stream, it 
would not likely recover easily (if SSL uses encryption properly) since the 
state of the encryption should dependant on the past data run through it 
(this is why people use CBC and other feedback/chaining modes with block 
ciphers).


At 01:00 PM 5/2/2002 -0400, McCammon, Keith wrote:
>It's not that simple, as https traffic is encrypted, and snort cannot 
>decode it in the same manner as http traffic, which is in the 
>clear.  Rules that apply to source and destination ports can be changed, 
>as could certain rules referencing packet size, flags, etc.  However, 
>snort can't grab the application-layer data from https traffic.
>
>Cheers
>
>Keith
>
>-----Original Message-----
>From: Slade Edmonds [mailto:slade at ...5758...]
>Sent: Thursday, May 02, 2002 12:51 PM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] monitoring https / SSL
>
>
>Could anyone direct me to information regarding snorting SSL traffic?  Is it
>just a matter of taking the rules files designed for monitoring standard
>http port 80 and adding an ssl port to it?
>
>Thanks
>
>
>_______________________________________________________________
>
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>_______________________________________________________________
>
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list