Snort mailing list archives

RE: Encrypted sessions

From: "Abe L. Getchell" <abegetchell () home com>
Date: Wed, 28 Nov 2001 00:34:34 -0500

Hi Neil,

Snort would never see the attacks in the encrypted communications
between the two hosts.  The data of a packet which contains an attack
(should it be a web-based attack utilizing SSL or an attack against
telnetd through an IPSec tunnel) would simply look like garbled data to
your Snort sensor.

What I would love to see is a crypto feature built into Snort much like
has been built into tcpdump (compiled using './configure --with-crypto'
and used at run-time using 'tcpdump -E <stuff>'), with a little more
flexibility (more algorithm options, better support for the ESP RFC's,
etc).  If the correct key or passphrase is known, it could be provided
to Snort at run-time, traffic could be decrypted on the fly by a
preprocessor, and the clear text data checked against the rule set being
used.

The one major drawback I see to this approach is the possibility of
processor saturation.  A Snort box in a high-traffic environment already
has it's hands full checking packets against the large number of sigs
common in networks such as these.  Chances are, it wouldn't have many
free proc cycles to perform such a processor intensive task as
decrypting data.  This feature would thus only be useful in a
low-traffic environment without introducing a packet loss problem.

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell () home com

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Ronneil Camara
Sent: Tuesday, November 27, 2001 3:53 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Encrypted sessions

How does snort deal with encrypted communication. Let say, I
would to monitor https connection to my web server or we've 
got an encrypted connection to other mail server. Would snort 
know about those attacks?

This is what the big vendor company mentioned to me about
snort's weakness.

Thanks.

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Encrypted sessions Ronneil Camara (Nov 27)
- Re: Encrypted sessions Erek Adams (Nov 27)
  - Re: Encrypted sessions Chr. v. Stuckrad (Nov 27)
    - Re: Encrypted sessions Erek Adams (Nov 27)
  - Re: Encrypted sessions Jason Haar (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 27)
  - RE: Encrypted sessions Erek Adams (Nov 27)
    - RE: Encrypted sessions Abe L. Getchell (Nov 28)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 27)
  - Re: Encrypted sessions Ralf Hildebrandt (Nov 28)
- <Possible follow-ups>
- Re: Encrypted sessions Mike Shaw (Nov 27)
- RE: Encrypted sessions Michael Aylor (Nov 27)
  - Re: Encrypted sessions Fyodor (Nov 27)
- Encrypted sessions Michael Scheidell (Nov 27)
- RE: Encrypted sessions Ronneil Camara (Nov 27)
- RE: Encrypted sessions Bob Walder (Nov 28)

(Thread continues...)