IDS mailing list archives
Re: Need some information on HIDS!
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 01 Mar 2005 21:43:27 -0600
On Mon, 2005-02-28 at 13:48 -0500, SecurIT Informatique Inc. wrote:
Hello. I have already invoked such a scenario in some of my previous IDS work/articles. What I had in mind is something like encrypting the whole network traffic, to prevent sniffing from intruders (let's say wall-to-wall SSH, for example). In such an environment, if you still wanted to keep some NIDS capabilities, you'd actually have to install NIDS software (Snort comes to mind) on every host on the network, in non-promiscuous mode (since sniffing the rest of the network traffic is useless, since it is encrypted).
Non-promiscuous mode shouldn't matter. If you sniff on the network interface, you are still only sniffing encrypted traffic. The only way I can see this work, which may be the direction you're heading and what you are proposing here, is to sniff traffic on the loop-back adapter. If you sniff on lo0, you will most likely see your SSH tunneled traffic in unencrypted form. However, what about application/services that do not run through lo0? Encrypted traffic from/to these apps, sent and received only through the NIC, is not monitored since it is encrypted. Sniffing on lo0 will give you interesting traffic worth watching. Of course you may find yourself dealing with bandwidth issues as you suspected. But since you are already on the host, why not monitor syscalls and applications directly? Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Need some information on HIDS! peng xuena (Feb 28)
- Re: Need some information on HIDS! SecurIT Informatique Inc. (Mar 01)
- Re: Need some information on HIDS! Frank Knobbe (Mar 02)
- Re: Need some information on HIDS! SecurIT Informatique Inc. (Mar 06)
- Re: Need some information on HIDS! Frank Knobbe (Mar 02)
- <Possible follow-ups>
- RE: Need some information on HIDS! Ofer Shezaf (Mar 16)
- Re: Need some information on HIDS! SecurIT Informatique Inc. (Mar 01)