IDS mailing list archives
RE: How to monitor encrypted connections...
From: "Kevin Overcash" <kevin.overcash () breach com>
Date: Mon, 24 Sep 2007 17:18:57 -0400
Breach Security (www.breach.com) offers a product called BreachView SSL, whose sole purpose is to passively decrypt SSL traffic for an IDS/IPS to inspect. The product works as a preprocessor, sending the IDS both the encrypted traffic as well as a corresponding packet containing the decrypted content. An IDS is then able to analyze the traffic and report on threats within encrypted traffic. The product is available as either an appliance or a software plug-in for Windows or Linux environments. Please see http://www.breach.com/products/breachview-ssl.html for more details or a free evaluation. Kevin Overcash -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of abhicc285 () gmail com Sent: Friday, September 21, 2007 4:05 AM To: focus-ids () securityfocus com Subject: Re: How to monitor encrypted connections... If the traffic is encrypted then it IDS will first have to decrypt the traffic. The IDS will have the keys to decryopt the traffic. This kind of design is certainly possible in HIPS where for SSL traffic keys can be uploaded, IPS will first decrypt the trafic and then forward the traffic to exploit/vulnerability specific rules. However it will be computationaly expensive.
Still working on my IDS/IPS project...
When browsing some IDS/IPS vendors' datasheets, >I noticed that some of
them
claimed being able to monitor encrypted traffic.
Could someone provide me with some insight on >what is currently
possible (and already
implemented) and what are the eventual limita...
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- How to monitor encrypted connections... Jean-Pierre FORCIOLI (Sep 20)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 24)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 25)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 27)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 27)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 25)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 24)
- RE: How to monitor encrypted connections... Srinivasa Addepalli (Sep 25)
- <Possible follow-ups>
- Re: How to monitor encrypted connections... proneetb (Sep 24)
- Re: How to monitor encrypted connections... abhicc285 (Sep 24)
- Re: How to monitor encrypted connections... Stefano Zanero (Sep 25)
- RE: How to monitor encrypted connections... Kevin Overcash (Sep 25)