RE: Encrypted sessions

[Erek Adams <erek () theadamsfamily net>]

On Wed, 28 Nov 2001, Abe L. Getchell wrote:

[...snip...]

> What I would love to see is a crypto feature built into Snort much like
> has been built into tcpdump (compiled using './configure --with-crypto'
> and used at run-time using 'tcpdump -E <stuff>'), with a little more
> flexibility (more algorithm options, better support for the ESP RFC's,
> etc).  If the correct key or passphrase is known, it could be provided
> to Snort at run-time, traffic could be decrypted on the fly by a
> preprocessor, and the clear text data checked against the rule set being
> used.

That would indeed be a kick ass pre/post processor to have!

> The one major drawback I see to this approach is the possibility of
> processor saturation.  A Snort box in a high-traffic environment already
> has it's hands full checking packets against the large number of sigs
> common in networks such as these.  Chances are, it wouldn't have many
> free proc cycles to perform such a processor intensive task as
> decrypting data.  This feature would thus only be useful in a
> low-traffic environment without introducing a packet loss problem.

Hrm...  This brings to mind something--Sun and IBM are both sporting Crypto
Accelerator cards.  Intel (and 3com?) now have a crypto chip built into some
ethernet cards...  With the benefit of those two bits of hardware, I wonder
how much saturation you would get?  If the key/algorithm is known, and can
have a decoder built for it, it should scream!  And no, I'm not a Crypto
Monkey, nor do I play one on T.V.  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users