Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: How to monitor encrypted connections...

from [Leonardo Cavallari Militelli] Network Security [Permanent Link]
Subject: RE: How to monitor encrypted connections...
Date: Tue, 25 Sep 2007 13:33:39 -0300 
In line:


On my Msc thesis I finished last year, I proposed an IDS/IPS
architecture
and developed what I call Application-based sensor.
In this sense, I debugged Apache behavior and catch the requests

after

they
were decrypted and before they were processed by the app server.


How is it different than ModSecurity?


In the time I developed my thesis, the WAF concept had just start to be
discussed. I found some solutions like BrachView SSL and McAfee "Intrushield
SSL Traffic Inspection and Prevention" only when I was to present my thesis.

When I studied ModSecurity, I felt it lacked some features, mainly the
integration with traditional detection/prevention architectures and attack
prevention. Apart from the last that I now is already implemented on new
version of modsecurity, I'm not aware its new capabilities.

As part of the project, I developed an API to enable interprocess
communication and used portion of snort as a detection engine, so it could
detect web attacks.
Another way to detect user misuse/attacks is based on pre-defined rules,
that protect the application/server for unauthorized requests, like HTTP
OPTIONS, TRACE, even if they are enable at server settings.

The developed prototype shown very stable and with a little performance cost
about 100 microseconds, when operating in active mode (preventing attacks).
It wasn't notice considerable delay for passive mode (reactive mode).
According to the alert level, the sensor can automatically set some
predefined rules in the local server to stop the attack and send alert
information to a complete IDS in real time, thus permitting activate some
protection rules at border controls (firewalls).

Last, I implemented the still not-so-much known/acceptable IDMEF format and
IDXP protocol to exchange messages in proper standard.

Although lots of work remains to be improved, I cannot continue it for now
due other activities (more than a year since I finished). I hope I can put
some effort on it and publish for the community.

Regards,

Leonardo Cavallari Militelli, MSc. / GIAC-GAWN 
Núcleo de Segurança e Redes de Alta Velocidade            
Escola Politécnica
Universidade de São Paulo
www.lsi.usp.br/~nsrav


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Using Snort to find creditcard data?, jerikl75
Previous by Thread:  RE: How to monitor encrypted connections..., Ofer Shezaf
Next by Thread:  RE: How to monitor encrypted connections..., Srinivasa Addepalli
Indexes:  [Date] [Thread] [Top] [All Lists]