Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: encrypted data honeypots and IDS

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 3 Mar 2005 04:32:48 -0500
Encrypted traffic is certainly a concern to any honeypot administrator,
but this problem isn't new or unaddressed.  There are several methods
and tools you can use to track encrypted traffic, most relying on the
fact that even encrypted traffic must be unencrypted on the eventual
host to work. The traffic can then be captured and forwarded to a
monitoring station.

Sebek is the most common tool for this, although it has many limitations
in the Windows environment (doesn't capture GUI traffic, etc.). There
are many other tools that will capture command-line based traffic, and
other tools that will capture the GUI stuff.  If you are concerned about
encrypted traffic, you can create a offense-in-depth collection of
monitoring tools to defeat the encrypted traffic.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

 

-----Original Message-----
From: John Galt [mailto:everbeeninlove () gmail com] 
Sent: Monday, February 21, 2005 7:34 AM
To: honeypots () securityfocus com; focus-ids () securityfocus com;
security-basics () securityfocus com
Subject: encrypted data honeypots and IDS

Hello! I have been working with IDS's and honeypots for a while, and
have constantly been intruiged by one thing: As long as you control
networks, its good to have all traffic encrypted (whether its over http
over ssl or ssh instead of telnet etc), but to sniff and analyse data as
in an IDS, you need it to be unencrypted. With encryption being used
increasingly in so many communications, will that result in the demise
of IDSs in the long run, unless they change their architecture in some
manner.

As an example, snort flags logs whenever there is a return id for root,
since it assumes thats an automated script. But something like that over
ssh would never get caught.

Would be glad if anyone can give any inputs regarding work done to deal
with this "problem"

regards

John Galt
Previous By Date Next
Previous By Thread Next

Current thread: