[Snort-users] SSL traffic

eric-dated-1083277626.193075aa63e273 at ...11523... eric-dated-1083277626.193075aa63e273 at ...11523...
Sat Apr 10 13:49:01 EDT 2004


On Sat, 2004-04-10 at 13:22:55 -0700, Frank Dobb proclaimed...

> Can snort - when acting as a host based IDS detect
> malicious HTTP requests over SSL? The platfoms I need
> to potect are IIS/Win system and also Apache/Linux and
> Win enviroment. 
> 
> If Snort can not do this - what is the recommended
> HIDS for this kind of config. (pref opensource)

Frank,

You would need to decrypt the SSLized traffic. There's tools to do
this -- sslsniff comes to mind. Or, you could find a way to use the
private key (held on the webserver) to decrypt inbound traffic at
one of the transit points you're monitoring.

As far as IIS, there's a tool called urlscan to further secure IIS
servers -- I've never used it personally, but hear it's ok. 

- Eric




More information about the Snort-users mailing list