Honeypots mailing list archives

Re: Snort and SSL

From: Jose Nazario <jose () monkey org>
Date: Mon, 23 Dec 2002 19:39:24 -0500 (EST)

On Mon, 23 Dec 2002, TageTora wrote:

Does someone know a better solution to set IDS + SSL in a unique control
machine?


ssldump, pass the captured packets to snort.

http://www.rtfm.com/ssldump/

if you control one of the endpoints, you should be ok:

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP
connections on the chosen network interface and attempts to interpret them
as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the
records and displays them in a textual form to stdout. If provided with
the appropriate keying material, it will also decrypt the connections and
display the application data traffic.

hope this helps,

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/

Current thread:

EXPERIMENTAL IPv6 decoder available in Snort (fwd) Lance Spitzner (Dec 23)
- Snort and SSL TageTora (Dec 23)
  - Re: Snort and SSL Jose Nazario (Dec 23)