Snort mailing list archives
RE: Encrypted sessions
From: "Abe L. Getchell" <abegetchell () home com>
Date: Wed, 28 Nov 2001 10:13:30 -0500
That would indeed be a kick ass pre/post processor to have!
It would probably have to be a preprocessor so things like the HTTP, telnet, and RPC decode preprocessors can have a whack at the data before it's matched against the sigs. I can't think of any disadvantages of making this a 'pre' as opposed to a 'post' processor.
Hrm... This brings to mind something--Sun and IBM are both sporting Crypto Accelerator cards. Intel (and 3com?) now have a crypto chip built into some ethernet cards... With the benefit of those two bits of hardware, I wonder how much saturation you would get? If the key/algorithm is known, and can have a decoder built for it, it should scream! And no, I'm not a Crypto Monkey, nor do I play one on T.V. :)
A link to the Intel version: http://www.intel.com/network/connectivity/products/pro100s_srvr_adapter. htm I was actually putting together an order for some equipment that would be working with IPSec tunnels when these cards first came out, and seriously looked into getting them to speed up the encryption/decryption process. At the time, however, they only supported Windows NT 4.0 & Windows 2000 (which was not my OS of choice... Lots of holes... Stupid disclosure 'policy'... Yadda yadda yadda... =) ), as well as only supporting data encryption, not decryption. Looking at Intel's web site now, it looks like they have all the functionality built into the drivers for all of the OS's they support... Even Linux! ;-) Hopefully, because the drivers now support this functionality, it would be possible to tap into this for use in this scenario! You're right, it would scream! If I were to start hammering away at adding something like this into the Snort code (as soon as I finish with the fifteen other projects I have going on right now), would there be any objections to adding in a compile time option to allow for the utilization of specialized hardware such as this NIC? I know the developers here try and keep the code as portable as possible, and it might complicate that a touch, but it would be one of those 'don't use it if you don't want to' kind of features. Thoughts? Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Encrypted sessions Ronneil Camara (Nov 27)
- Re: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Chr. v. Stuckrad (Nov 27)
- Re: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Jason Haar (Nov 27)
- Re: Encrypted sessions Chr. v. Stuckrad (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 27)
- RE: Encrypted sessions Erek Adams (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 28)
- <Possible follow-ups>
- Re: Encrypted sessions Mike Shaw (Nov 27)
- RE: Encrypted sessions Michael Aylor (Nov 27)
- Re: Encrypted sessions Fyodor (Nov 27)
- Encrypted sessions Michael Scheidell (Nov 27)
- RE: Encrypted sessions Ronneil Camara (Nov 27)
- RE: Encrypted sessions Bob Walder (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Tom Sevy (Nov 28)
(Thread continues...)
- Re: Encrypted sessions Erek Adams (Nov 27)