RE: How to monitor encrypted connections...

In line:

On my Msc thesis I finished last year, I proposed an IDS/IPS
and developed what I call Application-based sensor.
In this sense, I debugged Apache behavior and catch the requests
were decrypted and before they were processed by the app server.

How is it different than ModSecurity?

In the time I developed my thesis, the WAF concept had just start to be
discussed. I found some solutions like BrachView SSL and McAfee "Intrushield
SSL Traffic Inspection and Prevention" only when I was to present my thesis.

When I studied ModSecurity, I felt it lacked some features, mainly the
integration with traditional detection/prevention architectures and attack
prevention. Apart from the last that I now is already implemented on new
version of modsecurity, I'm not aware its new capabilities.

As part of the project, I developed an API to enable interprocess
communication and used portion of snort as a detection engine, so it could
detect web attacks.
Another way to detect user misuse/attacks is based on pre-defined rules,
that protect the application/server for unauthorized requests, like HTTP
OPTIONS, TRACE, even if they are enable at server settings.

The developed prototype shown very stable and with a little performance cost
about 100 microseconds, when operating in active mode (preventing attacks).
It wasn't notice considerable delay for passive mode (reactive mode).
According to the alert level, the sensor can automatically set some
predefined rules in the local server to stop the attack and send alert
information to a complete IDS in real time, thus permitting activate some
protection rules at border controls (firewalls).

Last, I implemented the still not-so-much known/acceptable IDMEF format and
IDXP protocol to exchange messages in proper standard.

Although lots of work remains to be improved, I cannot continue it for now
due other activities (more than a year since I finished). I hope I can put
some effort on it and publish for the community.


Leonardo Cavallari Militelli, MSc. / GIAC-GAWN
Núcleo de Segurança e Redes de Alta Velocidade
Escola Politécnica
Universidade de São Paulo

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.

Relevant Pages

  • Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
    ... influence a large number of users to make requests which disrupt, ... Since the favicon.ico object, for some reason, influences the account ... attacks, frightening, and how would they be prevented? ... Google / GMail case. ...
  • Re: [Full-disclosure] XSS + XSRF/CSRF...
    ... XSS/CSRF attacks. ... Keep XSS vulns to minimum (i.e.: filter all user input that gets ... Tokenize all requests ... The webapp correctly tokenizes the change-password and change-email ...
  • Re: web site hammering
    ... kinds of attacks while they're in-process and defend against them. ... If we get 10 requests per-second for the same page from the same IP, ... > attacker's IP into IIS IP restriction list: ... > ISP about this incident, ask them to block the attacker's IP at ISP ...
  • Re: Is it irrelevant what users of FOSS think? (Re: Fedora Present and Future: a 2014 Up
    ... changes in architecture and incessant increasingly aggressive system ... attacks, which you and I are so sheltered from, I would not give a whit ...
  • Re: nimbda and other apache attacks
    ... nimbda and other apache attacks ... This should redirect any GETs that include requests for either cmd.exe ... handling multiple requests from the same infected host. ...