Snort mailing list archives
RE: Encrypted sessions
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 27 Nov 2001 22:57:03 -0800 (PST)
On Wed, 28 Nov 2001, Abe L. Getchell wrote: [...snip...]
What I would love to see is a crypto feature built into Snort much like has been built into tcpdump (compiled using './configure --with-crypto' and used at run-time using 'tcpdump -E <stuff>'), with a little more flexibility (more algorithm options, better support for the ESP RFC's, etc). If the correct key or passphrase is known, it could be provided to Snort at run-time, traffic could be decrypted on the fly by a preprocessor, and the clear text data checked against the rule set being used.
That would indeed be a kick ass pre/post processor to have!
The one major drawback I see to this approach is the possibility of processor saturation. A Snort box in a high-traffic environment already has it's hands full checking packets against the large number of sigs common in networks such as these. Chances are, it wouldn't have many free proc cycles to perform such a processor intensive task as decrypting data. This feature would thus only be useful in a low-traffic environment without introducing a packet loss problem.
Hrm... This brings to mind something--Sun and IBM are both sporting Crypto Accelerator cards. Intel (and 3com?) now have a crypto chip built into some ethernet cards... With the benefit of those two bits of hardware, I wonder how much saturation you would get? If the key/algorithm is known, and can have a decoder built for it, it should scream! And no, I'm not a Crypto Monkey, nor do I play one on T.V. :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Encrypted sessions Ronneil Camara (Nov 27)
- Re: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Chr. v. Stuckrad (Nov 27)
- Re: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Jason Haar (Nov 27)
- Re: Encrypted sessions Chr. v. Stuckrad (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 27)
- RE: Encrypted sessions Erek Adams (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 28)
- <Possible follow-ups>
- Re: Encrypted sessions Mike Shaw (Nov 27)
- RE: Encrypted sessions Michael Aylor (Nov 27)
- Re: Encrypted sessions Fyodor (Nov 27)
- Encrypted sessions Michael Scheidell (Nov 27)
- RE: Encrypted sessions Ronneil Camara (Nov 27)
- RE: Encrypted sessions Bob Walder (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
(Thread continues...)
- Re: Encrypted sessions Erek Adams (Nov 27)