Vulnerability Development mailing list archives

Re: SSL & IDS

From: Inno Eroraha <inno () PATRIOT NET>
Date: Fri, 1 Sep 2000 14:08:42 -0400

There is no "IDS" system out there than can decode SSL, SSH, or any
well-implemented STRONG cryptographically-encrypted channel -- Not in
this 'net generation. And it won't be anywhere close to real-time,
depending on the implementation. The best bet is to employ host-based
(HIDS) that can tell you about suspicious activities on a target machine.
There are numerous of these types of IDS's.

-0-
inno

On Fri, 1 Sep 2000, Ed Padin wrote:

I don't know of any IDS systems that can decode SSL traffic on the fly. An
IDS just a smarter network sniffer. SSL and other encrypted protocols are
used to prevent network sniffers from gleaning any information from network
traffic. If there was an IDS that could read SSL traffic then SSL would be a
joke.

Then only way I could think of using an IDS to monitor SSL connections is to
use a dedicated SSL wrapper that would establish the SSL session and then
forward the plain text protocol to another server. The IDS can then monitor
the traffic as it leaves the SSL wrapper. This can all take place inside a
physically and logically secured DMZ (well, as secure as you can make it,
anyway.)

-----Original Message-----
From: Roelof Temmingh [mailto:roelof () SENSEPOST COM]
Sent: Thursday, August 31, 2000 12:24 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: SSL & IDS

All,

I am working on an article-thingy, and while writing I stumbled across
this: IDS & SSL does not work together well...wow! (this was a joke).
Even if you put an IDS on the same platform as the webserver
it would not
work. How should this be addressed? Is it addressed in some
way by the ppl on
the IDS mailling list? I did a -=very=- quick search for SSL
and IDS and didnt
really get anything.

I have some ideas of how one can try to solve it, but I dont
want to barge
into other ppl's territory.

Yeah, I know .. its prolly not the best list for the discussion.

Regards,
Roelof.

------------------------------------------------------
Roelof W Temmingh            SensePost IT security
roelof () sensepost com              +27 83 448 6996
            http://www.sensepost.com

Current thread:

Re: SSL & IDS Denis Ducamp (Sep 01)
- <Possible follow-ups>
- Re: SSL & IDS Ed Padin (Sep 01)
  - Re: SSL & IDS Inno Eroraha (Sep 01)
  - Re: SSL & IDS Blue Boar (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 01)
- Re: SSL & IDS Timothy J. Miller (Sep 01)
- Re: SSL & IDS Mikael Olsson (Sep 01)
  - Re: SSL & IDS Ng Pheng Siong (Sep 02)
    - Re: SSL & IDS Dragos Ruiu (Sep 02)
    - Re: SSL & IDS Bluefish (P.Magnusson) (Sep 03)
    - Re: SSL & IDS Pluto (Sep 08)
    - Re: SSL & IDS Benjamin P. Grubin (Sep 05)
- Re: SSL & IDS H D Moore (Sep 01)

(Thread continues...)