Snort mailing list archives
Re: Snort New Feature Request
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 17 Aug 2001 10:36:58 -0400
Hi Renaud, Snort doesn't use tcpdump, it's a stand alone sniffer/IDS program. Doing real time SSL decryption would be extremely computationally expensive and isn't likely to be implemented (by me) any time soon since it would be useful on only low bandwidth/small networks. That said, if you wanted to code up such a preprocessor I'd be glad to include it! -Marty Renaud Lemble wrote:
Hi, I want to do a suggestion : Why not using ssldump in order to replace tcpdump in snort ? We could decode encrypted protocols if snort has a copy of servers keys. A preprossesor could be coded to do that. A config file could be: preprocessor ssl_decode: server1_ip port1 certif1.pem preprocessor ssl_decode: server2_ip port2 certif2.pem ... I think this will be a very interresting option. I know a lot of people who are searching an option like this one. and I think no IDS do that at this time. What do you think about this idea ? -- ------------------------ Renaud LEMBLE renaud.lemble () cetelem fr ------------------------
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort New Feature Request Renaud Lemble (Aug 17)
- Re: Snort New Feature Request Martin Roesch (Aug 17)
- Re: Re: Snort New Feature Request Jason Haar (Aug 18)
- Re: Snort New Feature Request Martin Roesch (Aug 17)