Re: Encrypted packet friendly IDS ?

From: matheny (matheny-ids@dbaseIV.net)
Date: 08/31/01 

Date: Fri, 31 Aug 2001 17:43:14 -0400
From: matheny <matheny-ids@dbaseIV.net>
To: focus-ids@securityfocus.com
Subject: Re: Encrypted packet friendly IDS ?
Message-ID: <20010831174313.C42712@www.dbaseiv.net>

Uh, I wouldn't agree with that. SSL/TLS can not be 'decrypted'. In order to do so you
may need a web servers root certificate (for an effective MITM attack where the user
doesn't know they are being monitored) or if your establishment is using client
certificates you may need someones private key. Of course you can just evaluate header
information, but I'm not sure how effective that is for an IDS. Doug Song can probably
comment a bit more on the 'how-to' of SSL/TLS MITM attacks (as dsniff can do this).
-Blake

Whatchu talkin' 'bout, Willis?
> Any host based IDS should be able to see the result of an encrypted transfer
> if it can understand the way the protocol works, because it should be
> functioning higher on the OSI model than the encryption. SecureIIS, while
> not really an IDS, does keep a nice little log of all traffic that violates
> its rules, whether or not the traffic came in SSL format or not. It's
> running at the application layer, so all the en/decryption is below it.
>
> Rob
>
>
> -----Original Message-----
> From: HOSHINO Hiroshi
> To: focus-ids@securityfocus.com
> Sent: 8/31/01 8:05 AM
> Subject: Encrypted packet friendly IDS ?
>
>
> Hi all,
>
> I'm looking for IDS that I can decapsulate SSL (or IPsec, ssh) encrypted
> packet.
> I know Network-based IDS is not friendly with encrypted packet.
> But I expect that some network monitoring IDS, that resides in target
> host,
> is able to do so.
> (may be session or application layer network monitoring method or ...)
>
> Could someone show or point me to some information about this ?
>
> Regards,
> ----hoshino 

--

Relevant Pages

  • Re: Encrypted packet friendly IDS ?
    ... Subject: Encrypted packet friendly IDS? ... >> Any host based IDS should be able to see the result of an encrypted transfer ... >> Subject: Encrypted packet friendly IDS? ... "The great bulk of my wealthy and educated friends regard me as a dangerous crank." ...
    (Focus-IDS)
  • RE: Encrypted packet friendly IDS ?
    ... Subject: Encrypted packet friendly IDS? ... Any host based IDS should be able to see the result of an encrypted transfer ... But I expect that some network monitoring IDS, ...
    (Focus-IDS)
  • RE: Encrypted packet friendly IDS ?
    ... Subject: Encrypted packet friendly IDS? ... they tap in after decryption ... But I expect that some network monitoring IDS, that resides in target host, ...
    (Focus-IDS)
  • Encrypted packet friendly IDS ?
    ... I'm looking for IDS that I can decapsulate SSL encrypted packet. ... But I expect that some network monitoring IDS, that resides in target host, ...
    (Focus-IDS)
  • RE: Encrypted packet friendly IDS ?
    ... Subject: Encrypted packet friendly IDS? ... of doing the SSL/TLS encryption, thus clear text is passed to the server ...
    (Focus-IDS)