IDS mailing list archives
RE: ssh and ids
From: "Matthew F. Caldwell" <mattc () guarded net>
Date: Mon, 21 Jun 2004 18:42:39 -0400
At 06:18 PM 6/18/2004 +0000, Runion Mark A FGA DOIM WEBMASTER(ctr) wrote:
Lets suppose the attacker is mildly sophisticated, and after making the initial assault roots the box and installs a secure backdoor or two. Is there any IDS capable of isolating data it cannot read, except to monitor authorized port usage of a system or group of systems?
As mentioned previously no virtually IDS/IPS incorporates monitoring of SSHv2/v1 sessions of ssh. However some SSH (version 1) sessions are subject to man in the middle attacks as well as some SSL connections. Applications that help in performing the "forensic" man in the middle attack include ettercap http://ettercap.sourceforge.net or sshmitm (an app from the dsniff suite) http://www.monkey.org/~dugsong/dsniff/ Happy hacker hunting! Matthew F. Caldwell Chief Security Officer GuardedNet, Inc. www.guarded.net --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: ssh and ids, (continued)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids David W. Goodrum (Jun 22)
- RE: ssh and ids Thierry Evangelista (Jun 23)
- Re: ssh and ids David W. Goodrum (Jun 23)
- Re: ssh and ids Tony Carter (Jun 24)