encrypted data honeypots and IDS

[John Galt <everbeeninlove () gmail com>]

Hello! I have been working with IDS's and honeypots for a while, and
have constantly been intruiged by one thing: As long as you control
networks, its good to have all traffic encrypted (whether its over
http over ssl or ssh instead of telnet etc), but to sniff and analyse
data as in an IDS, you need it to be unencrypted. With encryption
being used increasingly in so many communications, will that result in
the demise of IDSs in the long run, unless they change their
architecture in some manner.

As an example, snort flags logs whenever there is a return id for
root, since it assumes thats an automated script. But something like
that over ssh would never get caught.

Would be glad if anyone can give any inputs regarding work done to
deal with this "problem"

regards

John Galt