RE: Need some information on HIDS!

["Ofer Shezaf" <Ofer.Shezaf () breach com>]

There are solutions for passively decrypting sniffed SSL traffic (I'm
not aware of any SSH solution though - doesn't seem to be enough
demand):
- You could tweak SSLdump for that.
- IntruShield from MacAfee includes such a feature if this is your
Network IDS of choice 
- We make a plug-in for most major IDS sensors that decrypt SSL.

~ Ofer

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers () breach com
http://www.breach.com 

> -----Original Message-----
> From: SecurIT Informatique Inc. [mailto:securit () iquebec com]
> Sent: Friday, March 04, 2005 4:29 PM
> To: Frank Knobbe
> Cc: SecurIT Informatique Inc.; peng xuena; focus-ids () securityfocus com
> Subject: Re: Need some information on HIDS!
>
> At 10:43 PM 01/03/2005, Frank Knobbe wrote:
>
> > On Mon, 2005-02-28 at 13:48 -0500, SecurIT Informatique Inc. wrote:
> > > Hello.  I have already invoked such a scenario in some of my
previous
> IDS
> > > work/articles.  What I had in mind is something like encrypting
the
> whole
> > > network traffic, to prevent sniffing from intruders (let's say
> > wall-to-wall
> > > SSH, for example).  In such an environment, if you still wanted to
> keep
> > > some NIDS capabilities, you'd actually have to install NIDS
software
> > (Snort
> > > comes to mind) on every host on the network, in non-promiscuous
mode
> > (since
> > > sniffing the rest of the network traffic is useless, since it is
> > encrypted).
> >
> > Non-promiscuous mode shouldn't matter. If you sniff on the network
> > interface, you are still only sniffing encrypted traffic.
> >
> > The only way I can see this work, which may be the direction you're
> > heading and what you are proposing here, is to sniff traffic on the
> > loop-back adapter.
>
> I have not implemented this, so in my mind it is still theoretical,
but
> what I had in mind is that sniffing local data should be done in the
IP
> stack after it's been dealt with by the encryption layer.  This is
what I
> had in mind with "non-promiscuous", since the local IP stack will be
> unable
> to decrypt the traffic not pertaining to it.  Maybe SSH was not the
best
> example, but I think you got the idea.
>
> > (snip)
> > But since you are already on the host, why not monitor syscalls and
> > applications directly?
>
> That's what I'm currently doing/planning to do with some of my own
> software.  The suggested setup I mentionned here was in relation to
the
> original question in this list.
>
> Adam
>
> > Cheers,
> > Frank
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 266.5.7 - Release Date: 01/03/2005
------------------------------------------------------------------------
--
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------