IDS mailing list archives

Re: IDS, IPS and encrypted traffic

From: Alexander Klimov <alserkli () inbox ru>
Date: Fri, 3 Dec 2004 22:38:29 +0200 (IST)

On Thu, 2 Dec 2004, Daniel Hamburg wrote:

Does anybody know some products or papers which deal with the problem of
analyzing encrypted traffic?


It depends on encrypted by what protocol, e.g., for IPSec if you know current
secret key you can use tcpdump:

    -E     Use  spi@ipaddr  algo:secret  for  decrypting  IPsec  ESP  packets
           that  are addressed to addr and contain Security Parameter Index
           value spi.

In other situations it is more difficult to arrange (MitM) or even impossible so
it is better to avoid encryption where it is not needed. For example, if you
want to make IDS which checks SSL-protected input to your web server you should
consider inserting the IDS between SSL-processor (server-side proxy, e.g.,
stunnel) and actual http engine.

-- 
Regards,
ASK

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

IDS, IPS and encrypted traffic Daniel Hamburg (Dec 02)
- Re: IDS, IPS and encrypted traffic neil (Dec 02)
  - Re: IDS, IPS and encrypted traffic Alex Butcher, ISC/ISYS (Dec 07)
- Re: IDS, IPS and encrypted traffic Jet (Dec 03)
- Re: IDS, IPS and encrypted traffic Brad Boeckmann (Dec 03)
- Re: IDS, IPS and encrypted traffic Alexander Klimov (Dec 06)
- Re: IDS, IPS and encrypted traffic Jose Maria Lopez (Dec 07)
- <Possible follow-ups>
- RE: IDS, IPS and encrypted traffic Eric McCarty (Dec 02)