Snort mailing list archives
Re: encrypted traffic
From: Victor Roemer <viroemer () cisco com>
Date: Mon, 10 Aug 2015 18:16:37 -0400
Marcio, some explanations inline On 8/10/15 09:59, Marcio Guerreiro wrote:
Where do you see the words "Encrypted traffic verification", the keyword being "verification".Hi allI have a question… I hope you guys can suggest me something to read about it…Considering that a great number of websites use SSL and the Snort documentation suggests that we should *not enable encrypted traffic verification*.. what it is going to happen ?
Snort with ssl preproc can "detect" when ssl traffic finishes handshake and goes encrypted; but once it encrypted, there is little that can be done. Snort does not have built-in SSL decryptor, so tracking tcp connection and evaluating IPS rules etc. is, in general, an waste of resources.
1 - Should Snort be deployed with powerful hardware capable to deal with the expensive computational demand generated by encrypted traffic ?
see above
2 - Should I remove *noinspect_encrypted from my snort.conf* and enable the encrypted verification ?
From what I'm reading; I would not suggest removing the setting.
Snort does not do decryption of SSL, so if you're asking "if I disable noinspect_encrypted, will I be safe from malevolent HTTP servers/clients?" the answer is no.3 - if I enable that, will Snort verify the whole packet contents ? (data payload)
What you need, is an SSL Proxy to perform the SSL termination (encryption/decryption) that runs separate from your application (e.g., HTTP server). In between the SSL Proxy and the HTTP server/clients is where you would deploy Snort.
Doing a setup like this can be daunting. Configuration tweaking alone will become mind-numbing as google search results fail
to yeild useful examples.If the DIY is too much of an learning curve, there does exist non-free commercial products that tackle this directly. At Cisco, our NGFW products provide this capability without extra overhead of separate systems- the best part is that they do not require sending plaintext from
your application to an SSL terminator.Please note, that I would not normally sugest non-free software on the list; I am not familiar with any alternative that is feature complete, secure, and readily deployable.
P.s., if you want to learn more on the subject, search google for /*mitmproxy*/. It's preaty cool tool.
-Victor
Thank you Marcio This body part will be downloaded on demand. This body part will be downloaded on demand.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- encrypted traffic Marcio Guerreiro (Aug 10)
- Re: encrypted traffic Victor Roemer (Aug 10)