IDS mailing list archives

Re: ssh and ids

From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 18 Jun 2004 20:53:58 -0400

Hey Mark,

VENDOR ALERT: I'm a vendor and I'm going to talk about my technology.Please take my comments with an appropriate amount of sodium chloride.

Sourcefire's RNA product is capable of isolating/identifying layer-7protocols (including encrypted protocols) and tracking the flows. Forexample, if you wanted to find SSH/SSL traffic that it being initiatedfrom outside your network to inside, setting up a query (or automatedreporting) is pretty trivial. Hacker busts into your network and setsup an SSH server, RNA picks it up and can let you know that it detecteda new service and logs the flow data, etc. Anyway, if you'reinterested in seeing a demo or talking more, let me know.

As far as IDS being able to do much with encrypted traffic, there'sgenerally not much to do once the session goes encrypted. You cansetup rules in a system like Snort to differentiate between "allowed"and "everyone else" hosts talking to machines on your network prettyeasily (and you can query RNA's flow data for the info too).

I know the NAI guys just released a mod to their sensors that allowthem to do real-time SSL decryption if you're willing to escrow theprivate crypto keys on the box (shudder). There's been talk ofimplementing the same sort of thing in Snort (ala ssldump) for a while,but it's never come together...


      -Marty

On Jun 18, 2004, at 2:18 PM, Runion Mark A FGA DOIM WEBMASTER(ctr)wrote:

Lets suppose the attacker is mildly sophisticated, and after making the
initial assault roots the box and installs a secure backdoor or two.Isthere any IDS capable of isolating data it cannot read, except tomonitorauthorized port usage of a system or group of systems? Not tocomplicate
the question, but when the attacker is using portal gates and all
communications traffic is encrypted in normal channels how can an IDS
participate?  Monitoring normal traffic patterns seems a bit slow for
detection.

-
Mark Runion
---------------------------------------------------------------------------
---------------------------------------------------------------------------

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

ssh and ids Runion Mark A FGA DOIM WEBMASTER(ctr) (Jun 18)
- Re: ssh and ids Adam Powers (Jun 21)
- Re: ssh and ids Martin Roesch (Jun 21)
  - Re: ssh and ids Tony Carter (Jun 22)
  - Re: ssh and ids Jason (Jun 22)
  - Re: ssh and ids Adam Powers (Jun 22)
    - Re: ssh and ids Martin Roesch (Jun 23)
    - Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Gary Flynn (Jun 21)
  - Re: ssh and ids Frank Knobbe (Jun 22)
    - Re: ssh and ids Bamm Visscher (Jun 23)
    - Re: ssh and ids Frank Knobbe (Jun 23)
- <Possible follow-ups>
- Re: ssh and ids Ron Gula (Jun 21)

(Thread continues...)