Snort mailing list archives
RE: Snorting SSL
From: "James R. Hendrick" <hendrick () keane-nne com>
Date: Mon, 7 Jul 2003 15:02:59 -0400
Hmmm. I suppose if you had a way to grab the site's private key, you could decrypt the traffic for every individual session the same way the real server does. (I assume you know basically how SSL works. The traffic is encrypted with a new key for each client session. To decrypt traffic encrypted with these session keys you need the private key of the server which is not the same as it's certificate.) It would seem to me that the CPU load would quickly bottleneck a software IDS that tried to do this. I agree with the poster who suggested putting your web server(s) behind an encryption device (we love Alteons) so that it sees only unencrypted traffic. (This is also a great way to improve performance and reliability.) If you did this, you might also want to sniff the line in front of the encryption engine(s) since they don't forward all traffic they see *to* the web servers. Is this what you had in mind? Jim
-----Original Message----- From: mjm () eitsystems com [mailto:mjm () eitsystems com] Sent: Monday, July 07, 2003 11:57 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snorting SSL Is there anyway to decrypt SSL sessions for IDS analyis by snort? I understand why this can not happen now but, is there a feasable way if you could use your web server's certificate or something to snort this traffic? Curious if anyone knows or has any ideas. -mike mccasland ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_06 1203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snorting SSL mjm (Jul 07)
- Re: Snorting SSL Derya Sezen (Jul 07)
- <Possible follow-ups>
- RE: Snorting SSL Hutchinson, Andrew (Jul 07)
- Re: Snorting SSL Jason Haar (Jul 07)
- RE: Snorting SSL James R. Hendrick (Jul 07)
- Re: Snorting SSL Ryan Johnson (Jul 07)