Snort mailing list archives

Re: SSL traffic

From: Frank Meerkoetter <frank () betaversion net>
Date: Sat, 10 Apr 2004 22:50:15 +0200

On Sat, Apr 10, 2004 at 01:22:55PM -0700, Frank Dobb wrote:
Hi,

Can snort - when acting as a host based IDS detect
malicious HTTP requests over SSL? The platfoms I need


No Snort can't do this. Snort gets a copy of every paket read of the wire. 
If the payload is encrypted you're out of luck. The decryption is done
at a higher level (SSL -> application level).

to potect are IIS/Win system and also Apache/Linux and
Win enviroment. 

If Snort can not do this - what is the recommended
HIDS for this kind of config. (pref opensource)


For the Apache webserver mod_security should do the trick
(http://www.modsecurity.org). They also have a perl script which can
transform snort signatures to rules usable by mod_security.

HTH Frank
-- 
mixed emotions:
        Watching a bus-load of lawyers plunge off a cliff.
        With five empty seats.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SSL traffic Frank Dobb (Apr 10)
- Re: SSL traffic eric-dated-1083277626 . 193075aa63e273 (Apr 10)
  - Re: SSL traffic Jason Haar (Apr 11)
- Re: SSL traffic Frank Meerkoetter (Apr 10)
- <Possible follow-ups>
- SSL traffic Frank Dobb (Apr 12)
- RE: SSL traffic Harper, Patrick (Apr 12)