[Snort-users] Snorting SSL
James R. Hendrick
hendrick at ...1997...
Mon Jul 7 12:04:19 EDT 2003
Hmmm. I suppose if you had a way to grab the site's private key, you could decrypt the traffic for every individual session the same way the real server does. (I assume you know basically how SSL works. The traffic is encrypted with a new key for each client session. To decrypt traffic encrypted with these session keys you need the private key of the server which is not the same as it's certificate.)
It would seem to me that the CPU load would quickly bottleneck a software IDS that tried to do this.
I agree with the poster who suggested putting your web server(s) behind an encryption device (we love Alteons) so that it sees only unencrypted traffic. (This is also a great way to improve performance and reliability.) If you did this, you might also want to sniff the line in front of the encryption engine(s) since they don't forward all traffic they see *to* the web servers.
Is this what you had in mind?
> -----Original Message-----
> From: mjm at ...7530... [mailto:mjm at ...7530...]
> Sent: Monday, July 07, 2003 11:57 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snorting SSL
> Is there anyway to decrypt SSL sessions for IDS analyis by snort? I
> understand why this can not happen now but, is there a
> feasable way if you
> could use your web server's certificate or something to snort this
> Curious if anyone knows or has any ideas.
> -mike mccasland
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users