> Presumably the point of this exercise is to be able to analyze normally > encrypted traffic.
That's what I thought when I first read your problem description. IMHO, you're going at this the wrong way. Set up a second box running snort. Set it up to read the encrypted traffic... and use a decrypting engine. (Something like ssldump - I don't know for sure that snort has this yet, but you could always hack something together from the ssldump source.) You'll require the server's private key to decrypt the traffic, but that shouldn't be a problem if that really is your own secure web server. :-) The benefit is that snort can log as much or as little as you want. Once you have the monitor set up, it's just a matter of deciding what to log and how to set up subsequent queries to the database backend. One possible gotcha is that I'm not sure ssldump works with servers set up for perfect forward secrecy. THAT SAID, I find this rationale very strange. I've given this some thought, but only because I was trying to determine whether it was possible to set up a snort-based NIDS to monitor encrypted traffic for an indication that I would want to drop the connection at the firewall. If you just want to know what's going to/from the web server, it makes a lot more sense to instrument that server than go through the hassles of setting up a sniffer. Bear ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
