[Snort-users] SSL traffic

Frank Meerkoetter frank at ...11595...
Sat Apr 10 14:41:01 EDT 2004

On Sat, Apr 10, 2004 at 01:22:55PM -0700, Frank Dobb wrote:

> Can snort - when acting as a host based IDS detect
> malicious HTTP requests over SSL? The platfoms I need

No Snort can't do this. Snort gets a copy of every paket read of the wire. 
If the payload is encrypted you're out of luck. The decryption is done
at a higher level (SSL -> application level).

> to potect are IIS/Win system and also Apache/Linux and
> Win enviroment. 
> If Snort can not do this - what is the recommended
> HIDS for this kind of config. (pref opensource)

For the Apache webserver mod_security should do the trick
(http://www.modsecurity.org). They also have a perl script which can
transform snort signatures to rules usable by mod_security.

HTH Frank
mixed emotions:
	Watching a bus-load of lawyers plunge off a cliff.
	With five empty seats.

More information about the Snort-users mailing list