Snort mailing list archives
RE: Encrypted sessions
From: Michael Aylor <maylor () swbanktx com>
Date: Tue, 27 Nov 2001 16:25:50 -0600
That would be neat, if there was a way of telling snort about the existance of a private RSA key that it had read access to, so it could reverse engineer the public key exchange it was watching...am I oversimplifying? My understanding was that, if you had the private key (and presumably the password used to encrypt it), then you'd be able to decode any traffic using that key. Am I incorrect? Mike -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Tuesday, November 27, 2001 3:31 PM To: Chr. v. Stuckrad Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Encrypted sessions On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:
*grin* there is another problem with 'encryption': I've seen a thing like an IRC-Bot used as DDOS Command-Center and communicating via an encrypted stream to the hacked host... No chance to see anything, except if the key is already known.
Right! But I was (pardon the pun) 'keying off' on the fact it was 'our mailservers/webservers'. I made the assumption that they had they keys. :)
But how? If for example you would want to look for specific bad
traffic
(we had that with ssh1) and you want to find logins via ssh, you only get the fact, that there IS a connection, no contents (else ssh would
be
useless anyway).
Right again! If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13, then you've got a bit of a chance. :) But if it's something akin to ssh--Good luck. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
smime.p7s
Description:
Current thread:
- Re: Encrypted sessions, (continued)
- Re: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Chr. v. Stuckrad (Nov 27)
- Re: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Jason Haar (Nov 27)
- Re: Encrypted sessions Chr. v. Stuckrad (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 27)
- RE: Encrypted sessions Erek Adams (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 28)
- Re: Encrypted sessions Mike Shaw (Nov 27)
- RE: Encrypted sessions Michael Aylor (Nov 27)
- Re: Encrypted sessions Fyodor (Nov 27)
- Encrypted sessions Michael Scheidell (Nov 27)
- RE: Encrypted sessions Ronneil Camara (Nov 27)
- RE: Encrypted sessions Bob Walder (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Tom Sevy (Nov 28)
- RE: Encrypted sessions Chris Eidem (Nov 28)
- RE: Encrypted sessions Ju Kong Fui (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Dec 03)
- RE: Encrypted sessions Ju Kong Fui (Nov 28)
(Thread continues...)
- Re: Encrypted sessions Erek Adams (Nov 27)