Snort mailing list archives
Re: Re: Snort and encrypted protocols
From: Marsiske Stefan <stefan.marsiske () sysdata siemens hu>
Date: Thu, 16 Aug 2001 12:14:32 +0200
ok, but in this case it snort can only decode the streams it has the certificates for. if you want to scan all traffic on a network this may be a problem. you have to decide, to ignore all other encrypted traffic, and if the box gets compromised (despite a running snort, and compentent secadmins) you'll lose the certs for that box only. or you scan all encrypted traffic detecting malicious content for all boxen. but then there is the risk of a single point of compromise. we have 3 choices: no ssldump functionality. - contra: no scan of encrypted traffic - contra: certs get also compromised on compromised host host based ssldump functionality: - pro: hosts incomming/outgoing traffic gets scanned. - contra: lost of host certificates. network based functionality: - pro all traffic gets scanned. - contra: all certs are compromised. risk evaluation should tell you which approach to use. On Thu, Aug 16, 2001 at 11:39:51AM +0200, Renaud Lemble wrote:
I think there are no probleme to have servercertificates if you put snort as an host based IDS on the servers which have certificates. Renaud LEMBLE Marsiske Stefan wrote:good idea, but you'll need all servercertificates on the snortbox for proper decryption. talk about single point of failure/compromise? btw, this is probably very slow. but anyhow a good idea for a plugin. On Thu, Aug 16, 2001 at 10:57:50AM +0200, Renaud Lemble wrote:Why not using ssldump to replace tcpdump in snort ? You could decode encrypted protocols if snort is use as an host based ids. This will be a very interresting option. -- ------------------------ Renaud LEMBLE renaud.lemble () cetelem fr ------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---end quoted text--- -- Stefan [http://web.interware.hu/stef] UPDATED:001031 gpg-key: http://web.interware.hu/stef/gpg.txt quote: "Hackers do not feel that leisure time is automatically any more meaningful than work time. The desirability of both depends on how they are realized. From the point of a view of a meaningful life, the entire work/leisure duality must be abandoned. As long as we are living our work or our leisure, we are not even truly living. Meaning cannot be found in work or leisure but has to arise out of the nature of the activity itself. Out of passion. Social value. Creativity." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- ------------------------ Renaud LEMBLE renaud.lemble () cetelem fr ------------------------
---end quoted text--- -- Stefan [http://web.interware.hu/stef] UPDATED:001031 gpg-key: http://web.interware.hu/stef/gpg.txt quote: "Hackers do not feel that leisure time is automatically any more meaningful than work time. The desirability of both depends on how they are realized. From the point of a view of a meaningful life, the entire work/leisure duality must be abandoned. As long as we are living our work or our leisure, we are not even truly living. Meaning cannot be found in work or leisure but has to arise out of the nature of the activity itself. Out of passion. Social value. Creativity." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and encrypted protocols Renaud Lemble (Aug 16)
- Re: Snort and encrypted protocols Marsiske Stefan (Aug 16)
- Re: Snort and encrypted protocols Renaud Lemble (Aug 16)
- Re: Re: Snort and encrypted protocols Marsiske Stefan (Aug 16)
- Re: Snort and encrypted protocols Renaud Lemble (Aug 16)
- Re: Snort and encrypted protocols Marsiske Stefan (Aug 16)