RE: monitoring https / SSL

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

It's not that simple, as https traffic is encrypted, and snort cannot decode it in the same manner as http traffic, 
which is in the clear.  Rules that apply to source and destination ports can be changed, as could certain rules 
referencing packet size, flags, etc.  However, snort can't grab the application-layer data from https traffic.

Cheers

Keith

-----Original Message-----
From: Slade Edmonds [mailto:slade () smipc net]
Sent: Thursday, May 02, 2002 12:51 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] monitoring https / SSL


Could anyone direct me to information regarding snorting SSL traffic?  Is it
just a matter of taking the rules files designed for monitoring standard
http port 80 and adding an ssl port to it?

Thanks


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users