[Snort-users] Snorting SSL

Hutchinson, Andrew andrew.hutchinson at ...759...
Mon Jul 7 11:12:07 EDT 2003

I may be wrong, but the only good way that I know of to do this is to
use an SSL Accelerator, and run your ISD behind it.  This can often be
combined with a we server load balancing solution, from folks like
Radware or F5.  The accelerator terminates the SSL sessions and then
dispatches the session of one of the servers in the farm.  Radware
allows you to plug your IDS right into the accelerator/load balancer.  I
don't know too much about F5.

Hope this helps,


Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

> -----Original Message-----
> From: mjm at ...7530... [mailto:mjm at ...7530...] 
> Sent: Monday, July 07, 2003 10:57 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snorting SSL
> Is there anyway to decrypt SSL sessions for IDS analyis by snort? I
> understand why this can not happen now but, is there a 
> feasable way if you
> could use your web server's certificate or something to snort this
> traffic?
> Curious if anyone knows or has any ideas.
> -mike mccasland
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_06
> 1203_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list