Vulnerability Development mailing list archives
Re: SSL & IDS
From: J Edgar Hoover <zorch () RIGHTEOUS NET>
Date: Fri, 1 Sep 2000 11:44:37 -0700
Even SSL servers write log files ;) Set up a log file watcher that looks for the same patterns as your NIDS.
Not good enough, for much the same reason as sniffing behind a reverse proxy. Neither option protects you from exploitation of the SSL server itself. Yeah, you might be able trap malformed URL's, but how about SSL negotiation exploits? Or, exploits in the logging mechanism? Remember the SSH remote root bug(s)? You could look at the packets as a whole though... watch for things like unusual volume of traffic from one ip or block. Most servers using SSL don't have nearly as much data coming from the client as the server. Look at packet sizes, how often does a client send more than 1k of data back to the server? Another angle might be that since you have access to the host's keys as well as plain text, some crypto-cruncher could work out an algorithm to detect 'abnormal' traffic.
Current thread:
- Re: SSL & IDS, (continued)
- Re: SSL & IDS Blue Boar (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 01)
- Re: SSL & IDS Timothy J. Miller (Sep 01)
- Re: SSL & IDS Mikael Olsson (Sep 01)
- Re: SSL & IDS Ng Pheng Siong (Sep 02)
- Re: SSL & IDS Dragos Ruiu (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 03)
- Re: SSL & IDS Pluto (Sep 08)
- Re: SSL & IDS Ng Pheng Siong (Sep 02)
- Re: SSL & IDS Benjamin P. Grubin (Sep 05)
- Re: SSL & IDS J Edgar Hoover (Sep 01)