Snort mailing list archives
RE: monitoring https / SSL
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 02 May 2002 14:19:15 -0400
Correct, and even more to the point, if snort COULD analyze the application layer data of https, then the whole point of using SSL in the first place would be lost.
It might be possible for snort to be given a copy of the private key half of the server's certificate (a security risk), and use that to decode messages to find out the SSL session key. I'm not that familiar with SSL that I can even say for sure that is possible.
Even assuming that snort can be given enough secret information to find out the session key, the decryption alone would likely slow snort down enough to drop packets now and then. Once it lost one packet in a SSL stream, it would not likely recover easily (if SSL uses encryption properly) since the state of the encryption should dependant on the past data run through it (this is why people use CBC and other feedback/chaining modes with block ciphers).
At 01:00 PM 5/2/2002 -0400, McCammon, Keith wrote:
It's not that simple, as https traffic is encrypted, and snort cannot decode it in the same manner as http traffic, which is in the clear. Rules that apply to source and destination ports can be changed, as could certain rules referencing packet size, flags, etc. However, snort can't grab the application-layer data from https traffic.Cheers Keith -----Original Message----- From: Slade Edmonds [mailto:slade () smipc net] Sent: Thursday, May 02, 2002 12:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] monitoring https / SSL Could anyone direct me to information regarding snorting SSL traffic? Is it just a matter of taking the rules files designed for monitoring standard http port 80 and adding an ssl port to it? Thanks _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- monitoring https / SSL Slade Edmonds (May 02)
- Re: monitoring https / SSL Jason Haar (May 02)
- <Possible follow-ups>
- RE: monitoring https / SSL McCammon, Keith (May 02)
- RE: monitoring https / SSL Matt Kettler (May 02)