Re: SSL traffic

[Jason Haar <Jason.Haar () trimble co nz>]

On Sat, Apr 10, 2004 at 03:48:34PM -0500, eric-dated-1083277626.193075aa63e273 () catastrophe net wrote:
> You would need to decrypt the SSLized traffic. There's tools to do
> this -- sslsniff comes to mind. Or, you could find a way to use the

No it can't. This has become a bit of a "urban forktale". Tools such as
ssldump - if provided with a copy of the private key of one of the end nodes
on a SSL transaction - can decrypt SSL traffic encrypted using "static RSA
keys". No-one uses "static RSA keys" - so to say ssldump can decrypt normal
HTTPS SSL traffic is an extreme stretch. 

The way to allow IDS to see HTTPS traffic is to make it see HTTP traffic.
i.e. put in a reverse proxy. Get it to convert the incoming HTTPS connection
into a HTTP connection to the backend server. We do it - it works fine.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users