Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: IDS, IPS and encrypted traffic
From: Alexander Klimov <alserkli () inbox ru>
Date: Fri, 3 Dec 2004 22:38:29 +0200 (IST)
On Thu, 2 Dec 2004, Daniel Hamburg wrote:

Does anybody know some products or papers which deal with the problem of
analyzing encrypted traffic?


It depends on encrypted by what protocol, e.g., for IPSec if you know current
secret key you can use tcpdump:

    -E     Use  spi () ipaddr  algo:secret  for  decrypting  IPsec  ESP  packets
           that  are addressed to addr and contain Security Parameter Index
           value spi.

In other situations it is more difficult to arrange (MitM) or even impossible so
it is better to avoid encryption where it is not needed. For example, if you
want to make IDS which checks SSL-protected input to your web server you should
consider inserting the IDS between SSL-processor (server-side proxy, e.g.,
stunnel) and actual http engine.

-- 
Regards,
ASK

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]