IDS & SSL

[Daniel Pearce <danjopearce () YAHOO CO UK>]

IDS and SSL won't work because the data has been
encrypted.  This you know.

There is no real way to solve it other than
customising some kind of script or host-based IDS to
monitor the logfile for the application that would be
holding the session keys, or the point where the
requests/data becomes unencrypted.

i.e. when an SSL session is established (even through
proxy servers - but not reverse proxy servers) the
session keys will only be known by the client and the
server (or the webserver and the browser for example).
Because of this effective "tunnel" through any proxies
and networks, there is no possible way to make a
network based IDS see this traffic.

I would imagine you could combine off-the-shelf
products from a company like ISS to monitor your
servers and networks using host and network based IDS
to give you access to the logfile, but the logfile is
still the only place to get it.

Personally, I would write something script-like to
monitor the logfile of the webserver or application
that uses SSL, get an SNMP trap generator and throw
traps at a management station.

This not only gives you full control over exploits,
but the ability to update it yourself (and fully
understand) with any new exploits relevant to your
application. SNMP then gives you a standard transport
mechanism for alarming to the right places.

RGds

Daniel J Pearce

____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie