RE: encrypted data honeypots and IDS

["dissolved" <dissolved () comcast net>]

Unless 75% of your traffic is encrypted, I wouldn't worry about it. We wont
see full time encrypted networks for a while due to obvious reasons.
When/if IPv6 ever comes out, that could be a different story

-----Original Message-----
From: John Galt [mailto:everbeeninlove () gmail com] 
Sent: Monday, February 21, 2005 7:34 AM
To: honeypots () securityfocus com; focus-ids () securityfocus com;
security-basics () securityfocus com
Subject: encrypted data honeypots and IDS

Hello! I have been working with IDS's and honeypots for a while, and
have constantly been intruiged by one thing: As long as you control
networks, its good to have all traffic encrypted (whether its over
http over ssl or ssh instead of telnet etc), but to sniff and analyse
data as in an IDS, you need it to be unencrypted. With encryption
being used increasingly in so many communications, will that result in
the demise of IDSs in the long run, unless they change their
architecture in some manner.

As an example, snort flags logs whenever there is a return id for
root, since it assumes thats an automated script. But something like
that over ssh would never get caught.

Would be glad if anyone can give any inputs regarding work done to
deal with this "problem"

regards

John Galt