Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Snort and encrypted protocols

From: Marsiske Stefan <stefan.marsiske () sysdata siemens hu>
Date: Thu, 16 Aug 2001 12:14:32 +0200
ok, but in this case it snort can only decode the streams it has the
certificates for. if you want to scan all traffic on a network this may be a
problem.

you have to decide, to ignore all other encrypted traffic, and if the box gets
compromised (despite a running snort, and compentent secadmins) you'll lose
the certs for that box only. 
or you scan all encrypted traffic detecting malicious content for all boxen.
but then there is the risk of a single point of compromise.

we have 3 choices:
no ssldump functionality. 
   - contra: no scan of encrypted traffic
   - contra: certs get also compromised on compromised host
host based ssldump functionality:
   - pro: hosts incomming/outgoing traffic gets scanned.
   - contra: lost of host certificates.
network based functionality:
   - pro all traffic gets scanned.
   - contra: all certs are compromised.

risk evaluation should tell you which approach to use.

On Thu, Aug 16, 2001 at 11:39:51AM +0200, Renaud Lemble wrote:

I think there are no probleme to have servercertificates if you put
snort as an host based IDS on the servers which have certificates.

Renaud LEMBLE

Marsiske Stefan wrote:


good idea, but you'll need all servercertificates on the snortbox for proper
decryption. talk about single point of failure/compromise?
btw, this is probably very slow. but anyhow a good idea for a plugin.

On Thu, Aug 16, 2001 at 10:57:50AM +0200, Renaud Lemble wrote:

Why not using ssldump to replace tcpdump in snort ?
You could decode encrypted protocols if snort is use as an host based
ids.
This will be a very interresting option.

--
------------------------
Renaud LEMBLE
renaud.lemble () cetelem fr
------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

---end quoted text---

--
Stefan [http://web.interware.hu/stef] UPDATED:001031
gpg-key: http://web.interware.hu/stef/gpg.txt
quote: "Hackers do not feel that leisure time is automatically any more
meaningful than work time. The desirability of both depends on how they are
realized. From the point of a view of a meaningful life, the entire
work/leisure duality must be abandoned. As long as we are living our work or
our leisure, we are not even truly living. Meaning cannot be found in work or
leisure but has to arise out of the nature of the activity itself. Out of
passion. Social value. Creativity."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
------------------------
Renaud LEMBLE
renaud.lemble () cetelem fr
------------------------

---end quoted text---

-- 
Stefan [http://web.interware.hu/stef] UPDATED:001031
gpg-key: http://web.interware.hu/stef/gpg.txt
quote: "Hackers do not feel that leisure time is automatically any more
meaningful than work time. The desirability of both depends on how they are
realized. From the point of a view of a meaningful life, the entire
work/leisure duality must be abandoned. As long as we are living our work or
our leisure, we are not even truly living. Meaning cannot be found in work or
leisure but has to arise out of the nature of the activity itself. Out of
passion. Social value. Creativity."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: