Re: Encrypted sessions

[Erek Adams <erek () theadamsfamily net>]

On Tue, 27 Nov 2001, Ronneil Camara wrote:

> How does snort deal with encrypted communication. Let say, I would to
> monitor https connection to my web server or we've got an encrypted
> connection to other mail server. Would snort know about those attacks?

No problem--If you've got the SSL key, that is!  :)

> This is what the big vendor company mentioned to me about snort's
> weakness.

*sigh*  I just love marketing/sales techno-babble.  Not!

If it's encrypted traffic, to examine the traffic you would have to decode it.
If you have the keys then you can hookup ssldump (I think that's the
name--Have to check my notes at home.) and pipe the data into snort.  Snort
can then tell you anything about it. :)

Also look into SPADE.  SPADE does among other things, anomaly detection.  You
can use that to see when you have a spike in certain type of activity.

Anyone else got a better way to play with encryption?  I'm looking for new
ideas!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users