Snort mailing list archives
Possible issues with SSl Preprocessor?
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Fri, 5 Aug 2011 08:56:12 -0500
Hello. I have what may be a issue with the SSL pre-processor consuming processors cycles for encrypted traffic. The Snort is 2.9.0.5. In my snort.conf I have the following line: preprocessor ssl: noinspect_encrypted When I start snort I run this: # snort -c /etc/snort/snort.conf -u pcap -D -k none --daq afpacket -b -i eth0 "port 443" Most of alls the traffic this should see is SSL and it should not be inspected after the snort determines it is SSL due to the 4-way handshake. HOWEVER, this process is consuming 75-100% of my processor. I thought once the snort realized it was SSl (encrypted), it would not enspect that stream anymore. But then why so much processor usage? Yes there is a lot of SSL traffic but just looking at 7 packets per stream (maybe a few more depending on fragmentation, window size, and PSH flags, etc.) does not seem logical to me to use so much of the CPU. Thank you for any insights. -L0rd C. ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Possible issues with SSl Preprocessor? L0rd Ch0de1m0rt (Aug 06)