Snort mailing list archives
Re: SSL traffic
From: eric-dated-1083277626.193075aa63e273 () catastrophe net
Date: Sat, 10 Apr 2004 15:48:34 -0500
On Sat, 2004-04-10 at 13:22:55 -0700, Frank Dobb proclaimed...
Can snort - when acting as a host based IDS detect malicious HTTP requests over SSL? The platfoms I need to potect are IIS/Win system and also Apache/Linux and Win enviroment. If Snort can not do this - what is the recommended HIDS for this kind of config. (pref opensource)
Frank, You would need to decrypt the SSLized traffic. There's tools to do this -- sslsniff comes to mind. Or, you could find a way to use the private key (held on the webserver) to decrypt inbound traffic at one of the transit points you're monitoring. As far as IIS, there's a tool called urlscan to further secure IIS servers -- I've never used it personally, but hear it's ok. - Eric ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SSL traffic Frank Dobb (Apr 10)
- Re: SSL traffic eric-dated-1083277626 . 193075aa63e273 (Apr 10)
- Re: SSL traffic Jason Haar (Apr 11)
- Re: SSL traffic Frank Meerkoetter (Apr 10)
- <Possible follow-ups>
- SSL traffic Frank Dobb (Apr 12)
- RE: SSL traffic Harper, Patrick (Apr 12)
- Re: SSL traffic eric-dated-1083277626 . 193075aa63e273 (Apr 10)