[Snort-users] Commercial Advanced Packet Sniffers, how do they do this? Application signatures?

Jason Haar Jason.Haar at ...294...
Sat Jan 23 23:16:06 EST 2010

On 01/24/2010 09:40 AM, Jason Brvenik wrote:
> Snort itself has had these capabilities for a long time and they have
> been use for various purposes by all manner of folks.

Don't forget they all cannot handle SSL-based traffic directly - and
that still doesn't cover Skype. Exception: I know Bluecoat do a big
song-and-dance about their inline SSL support. You have to reconfigure
all software clients to either disable/ignore SSL hostname mismatches
(ie disable the "trusted" bit of SSL!), or create a Bluecoat CA and
dynamically generate new "fake" certs for every SSL server you access
(ie "trust" your Bluecoat admin won't steal your credit card).

I see Squid is working on similar technology too - interesting times...

 When will we see inline snort dynamically create fake server certs? ;-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list