[Snort-users] SSL traffic

Jason Haar Jason.Haar at ...294...
Sun Apr 11 02:07:12 EDT 2004

On Sat, Apr 10, 2004 at 03:48:34PM -0500, eric-dated-1083277626.193075aa63e273 at ...11523... wrote:
> You would need to decrypt the SSLized traffic. There's tools to do
> this -- sslsniff comes to mind. Or, you could find a way to use the

No it can't. This has become a bit of a "urban forktale". Tools such as
ssldump - if provided with a copy of the private key of one of the end nodes
on a SSL transaction - can decrypt SSL traffic encrypted using "static RSA
keys". No-one uses "static RSA keys" - so to say ssldump can decrypt normal
HTTPS SSL traffic is an extreme stretch. 

The way to allow IDS to see HTTPS traffic is to make it see HTTP traffic.
i.e. put in a reverse proxy. Get it to convert the incoming HTTPS connection
into a HTTP connection to the backend server. We do it - it works fine.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list