Re: IDS, IPS and encrypted traffic

[Jose Maria Lopez <jkerouac () bgsec com>]

El jue, 02 de 12 de 2004 a las 08:15, Daniel Hamburg escribió:
> Hello everybody,
>
> I’ve been looking around the net for a while, trying to find some theoretical and practical approaches to solve the 
> problem of analyzing encrypted traffic.
>
> I know, that there is a need to decrypt the traffic before analyzing it, but I haven’t found any concrete solutions 
> neither for NIDS nor for HIDS yet. Some HIDS vendors announced that their products are capable of analyzing encrypted 
> traffic, but I didn’t succeed to find any details about that.
>
> Does anybody know some products or papers which deal with the problem of analyzing encrypted traffic?
>
> Thanks in advance,
>   Daniel Hamburg

Some people have had success using an squid proxy with the certificates
to decrypt the SSL traffic before sending it to the real web servers
and use a snort box after the squid proxy to see the unencrypted
traffic.

You can also try ssltunnel to handle other protocols but it's more
complicated.


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------