Re: ssh and ids
From: Tony Carter (tcarter_at_entrusion.com)
Date: 06/22/04
- Previous message: Jose Nazario: "Re: possible causes of source and destination ip from external network"
- In reply to: Martin Roesch: "Re: ssh and ids"
- Next in thread: Jason: "Re: ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 21 Jun 2004 22:39:25 -0400 To: Martin Roesch <roesch@sourcefire.com>
Since the subject came up, I've started writing the ssldump
preprocessor. I'll keep the list posted as I make progress and need
some testers...
-Tony
On Jun 18, 2004, at 8:53 PM, Martin Roesch wrote:
> Hey Mark,
>
> VENDOR ALERT: I'm a vendor and I'm going to talk about my technology.
> Please take my comments with an appropriate amount of sodium chloride.
>
> Sourcefire's RNA product is capable of isolating/identifying layer-7
> protocols (including encrypted protocols) and tracking the flows. For
> example, if you wanted to find SSH/SSL traffic that it being initiated
> from outside your network to inside, setting up a query (or automated
> reporting) is pretty trivial. Hacker busts into your network and sets
> up an SSH server, RNA picks it up and can let you know that it
> detected a new service and logs the flow data, etc. Anyway, if you're
> interested in seeing a demo or talking more, let me know.
>
> As far as IDS being able to do much with encrypted traffic, there's
> generally not much to do once the session goes encrypted. You can
> setup rules in a system like Snort to differentiate between "allowed"
> and "everyone else" hosts talking to machines on your network pretty
> easily (and you can query RNA's flow data for the info too).
>
> I know the NAI guys just released a mod to their sensors that allow
> them to do real-time SSL decryption if you're willing to escrow the
> private crypto keys on the box (shudder). There's been talk of
> implementing the same sort of thing in Snort (ala ssldump) for a
> while, but it's never come together...
>
> -Marty
>
>
> On Jun 18, 2004, at 2:18 PM, Runion Mark A FGA DOIM WEBMASTER(ctr)
> wrote:
>
>> Lets suppose the attacker is mildly sophisticated, and after making
>> the
>> initial assault roots the box and installs a secure backdoor or two.
>> Is
>> there any IDS capable of isolating data it cannot read, except to
>> monitor
>> authorized port usage of a system or group of systems? Not to
>> complicate
>> the question, but when the attacker is using portal gates and all
>> communications traffic is encrypted in normal channels how can an IDS
>> participate? Monitoring normal traffic patterns seems a bit slow for
>> detection.
>>
>> -
>> Mark Runion
>>
>>
>> ----------------------------------------------------------------------
>> -----
>>
>> ----------------------------------------------------------------------
>> -----
>>
>>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Intelligent Security Monitoring
> roesch@sourcefire.com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
> -----------------------------------------------------------------------
> ----
>
> -----------------------------------------------------------------------
> ----
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Jose Nazario: "Re: possible causes of source and destination ip from external network"
- In reply to: Martin Roesch: "Re: ssh and ids"
- Next in thread: Jason: "Re: ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
