Snort mailing list archives
Re: Re: Snort New Feature Request
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 18 Aug 2001 20:00:21 +1200
On Fri, Aug 17, 2001 at 10:36:58AM -0400, Martin Roesch wrote:
Hi Renaud, Snort doesn't use tcpdump, it's a stand alone sniffer/IDS program. Doing real time SSL decryption would be extremely computationally expensive and isn't likely to be implemented (by me) any time soon since it would be useful on only low bandwidth/small networks.
Too right. As such a feature would only be of use on networks where the IDS has access to the private keys of the SSL servers involved, I'd say it's the wrong approach anyway. Much better to terminate your SSL sessions on a SSL-proxy, and have your IDS read the non-encrypted data that falls out the back - no extra computational load on the IDS at all!
That said, if you wanted to code up such a preprocessor I'd be glad to include it!
Well, you could configure snort to save to a tcpdump-format file, and run ssldump over it at your leisure :-) Hmmm, I wonder if that could be turned into a near-realtime process, with the end-result feeding back into snort? Separate shell-script app of course... -- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort New Feature Request Renaud Lemble (Aug 17)
- Re: Snort New Feature Request Martin Roesch (Aug 17)
- Re: Re: Snort New Feature Request Jason Haar (Aug 18)
- Re: Snort New Feature Request Martin Roesch (Aug 17)