Snort mailing list archives

RE: Queries on Snort...

From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Fri, 30 Aug 2002 08:37:50 -0500

If you require decoding encrypted traffic - and I'm assuming that you're
mainly concerned with ssl to your web servers, here - you should
probably look at getting an ssl proxy, and placing your IDS behind that
to watch for http attacks.  If you have high traffic web servers,
that'll take the encryption processing off the web servers, and will
also allow you to decode the encrypted traffic.

-----Original Message-----
From: Poppi, Sandro [mailto:Sandro.Poppi () wacker com] 
Sent: Friday, August 30, 2002 5:50 AM
To: 'P.Balasubramaniam'; snort-users () lists sourceforge net
Subject: AW: [Snort-users] Queries on Snort...


Hi,

Hi,

I am suggesting Snort for Intrusion Detection requirement. I
do not know
whether the following are supported in Snort. Can you help on these
queries?

1. Does Snort support capturing and decoding encrypted traffic?


Capturing yes, but not decoding since it would be necessary to have the
private key of the recipient which you normally would not install on the
snort box ;)

2. Does Snort support playback of stored packets?


If you save packets in pcap format snort can read and interpret it as if
the packets where sent over the network snort listens.

3. Can Snort do intrusion prevention like if an intrusion occurs, it 
respond to the attack.


Yes, using the so-called "flexible response" feature.

HTH,
Sandro


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old cell
phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Queries on Snort... P.Balasubramaniam (Aug 30)
- Re: Queries on Snort... Matt Kettler (Aug 30)
  - Re: Queries on Snort... Billy Macdonald (Aug 30)
    - Re: OT:Queries on Snort... Matt Kettler (Aug 30)
- <Possible follow-ups>
- RE: Queries on Snort... Hutchinson, Andrew (Aug 30)
- RE: Queries on Snort... Jack Lyons (Aug 30)