Correct, and even more to the point, if snort COULD analyze the application
layer data of https, then the whole point of using SSL in the first place
would be lost.

It might be possible for snort to be given a copy of the private key half
of the server's certificate (a security risk), and use that to decode
messages to find out the SSL session key. I'm not that familiar with SSL
that I can even say for sure that is possible.

Even assuming that snort can be given enough secret information to find out
the session key, the decryption alone would likely slow snort down enough
to drop packets now and then. Once it lost one packet in a SSL stream, it
would not likely recover easily (if SSL uses encryption properly) since the
state of the encryption should dependant on the past data run through it
(this is why people use CBC and other feedback/chaining modes with block
ciphers).

At 01:00 PM 5/2/2002 -0400, McCammon, Keith wrote:
>It's not that simple, as https traffic is encrypted, and snort cannot
>decode it in the same manner as http traffic, which is in the
>clear. Rules that apply to source and destination ports can be changed,
>as could certain rules referencing packet size, flags, etc. However,
>snort can't grab the application-layer data from https traffic.
>
>Cheers
>
>Keith
>
>-----Original Message-----
>From: Slade Edmonds [mailto:sladesmipc.net]
>Sent: Thursday, May 02, 2002 12:51 PM
>To: snort-userslists.sourceforge.net
>Subject: [Snort-users] monitoring https / SSL
>
>
>Could anyone direct me to information regarding snorting SSL traffic? Is it
>just a matter of taking the rules files designed for monitoring standard
>http port 80 and adding an ssl port to it?
>
>Thanks
>
>
>_______________________________________________________________
>
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
>_______________________________________________
>Snort-users mailing list
>Snort-userslists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>_______________________________________________________________
>
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
>_______________________________________________
>Snort-users mailing list
>Snort-userslists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]