Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Encrypted sessions

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 27 Nov 2001 13:30:44 -0800 (PST)
On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:


*grin* there is another problem with 'encryption':
I've seen a thing like an IRC-Bot used as DDOS Command-Center
and communicating via an encrypted stream to the hacked host...

No chance to see anything, except if the key is already known.


Right!  But I was (pardon the pun) 'keying off' on the fact it was 'our
mailservers/webservers'.  I made the assumption that they had they keys.  :)


But how?  If for example you would want to look for specific bad traffic
(we had that with ssh1) and you want to find logins via ssh, you only
get the fact, that there IS a connection, no contents (else ssh would be
useless anyway).


Right again!  If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13, then
you've got a bit of a chance.   :)  But if it's something akin to ssh--Good
luck.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: