Re: Snort SSL decryption

["Michael H. Warfield" <mhw () wittsend com>]

On Fri, 2017-06-23 at 17:34 -0600, Rajkumar via Snort-users wrote:
> Hi,

> Does Snort have any predefined preprocessor that does SSL
> decryption(given private key of server), if not, what would be you
> best
> recommendations for making snort work on decrypted traffic?

Ideally...  If the web server has TLS 1.2+, DH (Diffie Hellman key
exchange), and PFS (Perfect Forward Secrecy) enabled (which is pretty
much required if you want a decent SSL site rating from the Qualsys
ssllabs) having the server key will not help.  The ephemeral keys are
negotiated using DH and then rotated during the session via PFS.  Any
"A" or "A+" rated site is going to be secure even if you have the
server private key.  That's by design.

https://www.ssllabs.com/ssltest/

> Raj

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (706) 850-8770 |  mhw () WittsEnd com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
ARIN whois: ARIN-MHW9       | An optimist believes we live in the best of all
PGP Key: 0xC0EB9675674627FF | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!