Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS, IPS and encrypted traffic

from [Alexander Klimov] Network Security [Permanent Link]
Subject: Re: IDS, IPS and encrypted traffic
Date: Fri, 3 Dec 2004 22:38:29 +0200 (IST) 
On Thu, 2 Dec 2004, Daniel Hamburg wrote:

Does anybody know some products or papers which deal with the problem of
analyzing encrypted traffic?


It depends on encrypted by what protocol, e.g., for IPSec if you know current
secret key you can use tcpdump:

    -E     Use  spi@ipaddr  algo:secret  for  decrypting  IPsec  ESP  packets
           that  are addressed to addr and contain Security Parameter Index
           value spi.

In other situations it is more difficult to arrange (MitM) or even impossible so
it is better to avoid encryption where it is not needed. For example, if you
want to make IDS which checks SSL-protected input to your web server you should
consider inserting the IDS between SSL-processor (server-side proxy, e.g.,
stunnel) and actual http engine.

-- 
Regards,
ASK

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Foolin an IDS ?, Mark Teicher
Next by Date:  RE: ISS Siteprotector as syslog server?, Leandro Reox
Previous by Thread:  Re: IDS, IPS and encrypted traffic, Brad Boeckmann
Next by Thread:  Re: IDS, IPS and encrypted traffic, Jose Maria Lopez
Indexes:  [Date] [Thread] [Top] [All Lists]