Vulnerability Development mailing list archives
IDS & SSL
From: Daniel Pearce <danjopearce () YAHOO CO UK>
Date: Fri, 1 Sep 2000 08:28:15 +0100
IDS and SSL won't work because the data has been encrypted. This you know. There is no real way to solve it other than customising some kind of script or host-based IDS to monitor the logfile for the application that would be holding the session keys, or the point where the requests/data becomes unencrypted. i.e. when an SSL session is established (even through proxy servers - but not reverse proxy servers) the session keys will only be known by the client and the server (or the webserver and the browser for example). Because of this effective "tunnel" through any proxies and networks, there is no possible way to make a network based IDS see this traffic. I would imagine you could combine off-the-shelf products from a company like ISS to monitor your servers and networks using host and network based IDS to give you access to the logfile, but the logfile is still the only place to get it. Personally, I would write something script-like to monitor the logfile of the webserver or application that uses SSL, get an SNMP trap generator and throw traps at a management station. This not only gives you full control over exploits, but the ability to update it yourself (and fully understand) with any new exploits relevant to your application. SNMP then gives you a standard transport mechanism for alarming to the right places. RGds Daniel J Pearce ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie
Current thread:
- IDS & SSL Daniel Pearce (Sep 01)