Security Basics mailing list archives
encrypted data honeypots and IDS
From: John Galt <everbeeninlove () gmail com>
Date: Mon, 21 Feb 2005 18:04:24 +0530
Hello! I have been working with IDS's and honeypots for a while, and have constantly been intruiged by one thing: As long as you control networks, its good to have all traffic encrypted (whether its over http over ssl or ssh instead of telnet etc), but to sniff and analyse data as in an IDS, you need it to be unencrypted. With encryption being used increasingly in so many communications, will that result in the demise of IDSs in the long run, unless they change their architecture in some manner. As an example, snort flags logs whenever there is a return id for root, since it assumes thats an automated script. But something like that over ssh would never get caught. Would be glad if anyone can give any inputs regarding work done to deal with this "problem" regards John Galt
Current thread:
- encrypted data honeypots and IDS John Galt (Feb 24)