Snort mailing list archives
RE: Encrypted sessions
From: "Abe L. Getchell" <abegetchell () home com>
Date: Mon, 3 Dec 2001 17:21:54 -0500
Greetings! Yes, putting Snort behind the point of encryption/decryption is a much easier solution in most situations, but there are cases when that's not possible. Certain contract or security policy restrictions, in the past, have kept me from placing a sensor on a client's internal network. However, the client(s) wanted to monitor all traffic coming into their network from the Internet, including the traffic which was being encrypted. The important thing to remember here is, "VPN Traffic"!="Internal Network Traffic". Most organization's security policies do (or should) define VPN traffic under a lower security classification than internal network traffic. While it might not be cleartext, it is traversing the Internet none-the-less. Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ju Kong Fui Sent: Wednesday, November 28, 2001 8:18 PM To: snort-users () lists sourceforge net; snort-devel () lists sourceforge net Subject: RE: [Snort-users] Encrypted sessions Having snort to decrypt traffic is not a good idea. Putting snort before the encryption point/gateway is much easier to deal with <-- working with the design of the network. For end to end vpn tunnel, use host based IDS. -----Original Message----- From: Abe L. Getchell [mailto:abegetchell () home com] Sent: Wednesday, November 28, 2001 1:35 PM To: 'Ronneil Camara' Cc: snort-users () lists sourceforge net; snort-devel () lists sourceforge net Subject: RE: [Snort-users] Encrypted sessions Hi Neil, Snort would never see the attacks in the encrypted communications between the two hosts. The data of a packet which contains an attack (should it be a web-based attack utilizing SSL or an attack against telnetd through an IPSec tunnel) would simply look like garbled data to your Snort sensor. What I would love to see is a crypto feature built into Snort much like has been built into tcpdump (compiled using './configure --with-crypto' and used at run-time using 'tcpdump -E <stuff>'), with a little more flexibility (more algorithm options, better support for the ESP RFC's, etc). If the correct key or passphrase is known, it could be provided to Snort at run-time, traffic could be decrypted on the fly by a preprocessor, and the clear text data checked against the rule set being used. The one major drawback I see to this approach is the possibility of processor saturation. A Snort box in a high-traffic environment already has it's hands full checking packets against the large number of sigs common in networks such as these. Chances are, it wouldn't have many free proc cycles to perform such a processor intensive task as decrypting data. This feature would thus only be useful in a low-traffic environment without introducing a packet loss problem. Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On BehalfOf RonneilCamara Sent: Tuesday, November 27, 2001 3:53 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Encrypted sessions How does snort deal with encrypted communication. Let say,I would tomonitor https connection to my web server or we've got an encrypted connection to other mail server. Would snort know aboutthose attacks?This is what the big vendor company mentioned to me about snort's weakness. Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Encrypted sessions, (continued)
- Re: Encrypted sessions Mike Shaw (Nov 27)
- RE: Encrypted sessions Michael Aylor (Nov 27)
- Re: Encrypted sessions Fyodor (Nov 27)
- Encrypted sessions Michael Scheidell (Nov 27)
- RE: Encrypted sessions Ronneil Camara (Nov 27)
- RE: Encrypted sessions Bob Walder (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Tom Sevy (Nov 28)
- RE: Encrypted sessions Chris Eidem (Nov 28)
- RE: Encrypted sessions Ju Kong Fui (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Dec 03)
- RE: Encrypted sessions Ju Kong Fui (Nov 28)
- Re: Encrypted sessions Fyodor (Nov 28)