Vulnerability Development mailing list archives

Re: SSL & IDS

From: J Edgar Hoover <zorch () RIGHTEOUS NET>
Date: Fri, 1 Sep 2000 11:44:37 -0700

Even SSL servers write log files ;)  Set up a log file watcher that
looks for the same patterns as your NIDS.


Not good enough, for much the same reason as sniffing behind a reverse
proxy.

Neither option protects you from exploitation of the SSL server
itself. Yeah, you might be able trap malformed URL's, but how about SSL
negotiation exploits? Or, exploits in the logging mechanism?

Remember the SSH remote root bug(s)?

You could look at the packets as a whole though... watch for things like
unusual volume of traffic from one ip or block. Most servers using SSL
don't have nearly as much data coming from the client as the server. Look
at packet sizes, how often does a client send more than 1k of data back to
the server?

Another angle might be that since you have access to the host's keys as
well as plain text, some crypto-cruncher could work out an algorithm to
detect 'abnormal' traffic.

Current thread:

Re: SSL & IDS, (continued)
- - Re: SSL & IDS Blue Boar (Sep 02)
- Re: SSL & IDS Bluefish (P.Magnusson) (Sep 01)
- Re: SSL & IDS Timothy J. Miller (Sep 01)
- Re: SSL & IDS Mikael Olsson (Sep 01)
  - Re: SSL & IDS Ng Pheng Siong (Sep 02)
    - Re: SSL & IDS Dragos Ruiu (Sep 02)
    - Re: SSL & IDS Bluefish (P.Magnusson) (Sep 03)
    - Re: SSL & IDS Pluto (Sep 08)
    - Re: SSL & IDS Benjamin P. Grubin (Sep 05)
- Re: SSL & IDS H D Moore (Sep 01)
  - Re: SSL & IDS J Edgar Hoover (Sep 01)
- Re: SSL & IDS Crispin Cowan (Sep 01)
- Re: SSL & IDS Lowry, Shaun (ISSReading) (Sep 04)