Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP) decodes SSL and TLS traffic and optionally determines if and when Snort should stop inspection of it.
Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to inspect port 443 and enabling the noinspect_encrypted option, only the SSL handshake of each connection will be inspected. Once the traffic is determined to be encrypted, no further inspection of the data on the connection is made.
By default, SSLPP looks for a handshake followed by encrypted traffic traveling to both sides. If one side responds with an indication that something has failed, such as the handshake, the session is not marked as encrypted. Verifying that faultless encrypted traffic is sent from both endpoints ensures two things: the last client-side handshake packet was not crafted to evade Snort, and that the traffic is legitimately encrypted.
In some cases, especially when packets may be missed, the only observed response from one endpoint will be TCP ACKs. Therefore, if a user knows that server-side encrypted data can be trusted to mark the session as encrypted, the user should use the 'trustservers' option, documented below.
This option specifies which ports SSLPP will inspect traffic on.
By default, SSLPP watches the following ports:
Disable inspection on traffic that is encrypted. Default is off.
Maximum length of heartbeat record allowed. This config option is used to detect the heartbleed attacks. The allowed range is 0 to 65535. Setting the value to 0 turns off the heartbeat length checks. For heartbeat requests, if the payload size of the request record is greater than the max_heartbeat_length an alert with sid 3 and gid 137 is generated. For heartbeat responses, if the record size itself is greater than the max_heartbeat_length an alert with sid 4 and gid 137 is generated. Default is off.
Disables the requirement that application (encrypted) data must be observed on both sides of the session before a session is marked encrypted. Use this option for slightly better performance if you trust that your servers are not compromised. This requires the noinspect_encrypted option to be useful. Default is off.
Enables the SSL preprocessor and tells it to disable inspection on encrypted traffic.
The following rule options are supported by enabling the ssl preprocessor:
|<#18637#><#18636#><#18636#><#18637#>|| The ssl_version rule option tracks the version negotiated between
the endpoints of the SSL encryption. The list of version identifiers are below, and
more than one identifier can be specified, via a comma separated list. Lists of
identifiers are OR'ed together.
The option will match if any one of the OR'ed versions are used in the SSL connection. To check for two or more SSL versions in use simultaneously, multiple ssl_version rule options should be used.
|<#18639#><#18638#><#18638#><#18639#>|| The ssl_state rule option tracks the state of the SSL encryption
during the process of hello and key exchange. The list of states are below. More than
one state can be specified, via a comma separated list, and are OR'ed together.
The option will match if the connection is currently in any one of the OR'ed states. To ensure the connection has reached each of a set of states, multiple rules using the ssl_state rule option should be used.