Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISSForum] IDS monitor HTTPs traffic

from [Italo Tapia] Network Security [Permanent Link]
Subject: [ISSForum] IDS monitor HTTPs traffic
Date: Tue, 22 Nov 2005 11:27:32 -0300 
Hi Pramote,

Edit your Sensor's current policy, click on the "Connection Events" Tab.
Click on the "Add" button and enter a name (like "HTTPS", or something you
could recognize later). Expand the Tree at left pane and search for the
event you just created (it would be at the end) and click on it.
Configure: Protocol = tcp; Destination -> Service (click on the "..."
button) = choose https and click on OK. Also, you could enter some
description and/or change the priority of the event.

Close the Policy Editor and choose Yes to save and apply the policy.

This new connection event you created will inform you when packets using
HTTPS (TCP 443) as destination were seen. If you want you could create a
similar rule to fire when packets using HTTPS as 'source' port are
discovered (that means the response from the Web Server). You can't use
the same event connection rule created before to catch both, you need two
of them, one for destination and one for source port, but the name of this
new event rule could be the same as the previous one.

Off course, this connection events you created can't decrypt the
information exchanged between the browser and the web server and are
useless to find vulnerabilities been exploited. In order to do that you
could try BreachView SSL (Breach Security, Inc.) this software claims for
decrypt SSL traffic for RealSecure Network Sensor 7.0 and make this
traffic visible for Sensor's engine.

I haven't tested yet and I don't know if is officially supported by ISS,
but you could try it.

http://www.breach.com/products_breachviewssl.asp
http://www.breach.com/downloads/product/BreachView_SSL_Frequently_Asked_Questions.pdf



Regards,
Italo Tapia Sch., CISSP, ISS-Certified Specialist (ISS-CS)
Research & Development Engineer
Orión 2000 S.A.
Chile


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ISSForum] Troubles with installing XPU's, Richard Franken
Next by Date:  [ISSForum] How to send event data to a syslog server?, Italo Tapia
Previous by Thread:  [ISSForum] IDS monitor HTTPs traffic, Italo Tapia
Next by Thread:  [ISSForum] Proventia M10 - Again..., Renato Borseti
Indexes:  [Date] [Thread] [Top] [All Lists]