Re: ssh and ids
From: Martin Roesch (roesch_at_sourcefire.com)
Date: 06/19/04
- Previous message: Annie Green: "possible causes of source and destination ip from external network"
- In reply to: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids"
- Next in thread: Adam Powers: "Re: ssh and ids"
- Reply: Adam Powers: "Re: ssh and ids"
- Reply: Tony Carter: "Re: ssh and ids"
- Reply: Jason: "Re: ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jun 2004 20:53:58 -0400 To: "Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion@us.army.mil>
Hey Mark,
VENDOR ALERT: I'm a vendor and I'm going to talk about my technology.
Please take my comments with an appropriate amount of sodium chloride.
Sourcefire's RNA product is capable of isolating/identifying layer-7
protocols (including encrypted protocols) and tracking the flows. For
example, if you wanted to find SSH/SSL traffic that it being initiated
from outside your network to inside, setting up a query (or automated
reporting) is pretty trivial. Hacker busts into your network and sets
up an SSH server, RNA picks it up and can let you know that it detected
a new service and logs the flow data, etc. Anyway, if you're
interested in seeing a demo or talking more, let me know.
As far as IDS being able to do much with encrypted traffic, there's
generally not much to do once the session goes encrypted. You can
setup rules in a system like Snort to differentiate between "allowed"
and "everyone else" hosts talking to machines on your network pretty
easily (and you can query RNA's flow data for the info too).
I know the NAI guys just released a mod to their sensors that allow
them to do real-time SSL decryption if you're willing to escrow the
private crypto keys on the box (shudder). There's been talk of
implementing the same sort of thing in Snort (ala ssldump) for a while,
but it's never come together...
-Marty
On Jun 18, 2004, at 2:18 PM, Runion Mark A FGA DOIM WEBMASTER(ctr)
wrote:
> Lets suppose the attacker is mildly sophisticated, and after making the
> initial assault roots the box and installs a secure backdoor or two.
> Is
> there any IDS capable of isolating data it cannot read, except to
> monitor
> authorized port usage of a system or group of systems? Not to
> complicate
> the question, but when the attacker is using portal gates and all
> communications traffic is encrypted in normal channels how can an IDS
> participate? Monitoring normal traffic patterns seems a bit slow for
> detection.
>
> -
> Mark Runion
>
>
> -----------------------------------------------------------------------
> ----
>
> -----------------------------------------------------------------------
> ----
>
>
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Annie Green: "possible causes of source and destination ip from external network"
- In reply to: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids"
- Next in thread: Adam Powers: "Re: ssh and ids"
- Reply: Adam Powers: "Re: ssh and ids"
- Reply: Tony Carter: "Re: ssh and ids"
- Reply: Jason: "Re: ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
