IDS mailing list archives
Re: How to monitor encrypted connections...
From: "crazy frog crazy frog" <i.m.crazy.frog () gmail com>
Date: Fri, 28 Sep 2007 20:37:45 +0530
Hi, To capture the SSL there is a MITM technique.Suppoes client wants to communicate using SSL then first the IDS/IPS will act as a server to the client and uses fake certificates.all the data come to the IPS/IDS and then they communicate with the real server. the thing which make it work is that user dont check the authencity of the certificates and blindly click on yes,so it works. -- --------------------------------------- write your infosec blog on http://secgeeks.com register here:- http://secgeeks.com/user/register rss feeds :- http://secgeeks.com/node/feed --------------------------------------- On 9/25/07, Leonardo Cavallari Militelli <leonardo () lsi usp br> wrote:
In line:On my Msc thesis I finished last year, I proposed an IDS/IPS architecture and developed what I call Application-based sensor. In this sense, I debugged Apache behavior and catch the requestsafterthey were decrypted and before they were processed by the app server.How is it different than ModSecurity?In the time I developed my thesis, the WAF concept had just start to be discussed. I found some solutions like BrachView SSL and McAfee "Intrushield SSL Traffic Inspection and Prevention" only when I was to present my thesis. When I studied ModSecurity, I felt it lacked some features, mainly the integration with traditional detection/prevention architectures and attack prevention. Apart from the last that I now is already implemented on new version of modsecurity, I'm not aware its new capabilities. As part of the project, I developed an API to enable interprocess communication and used portion of snort as a detection engine, so it could detect web attacks. Another way to detect user misuse/attacks is based on pre-defined rules, that protect the application/server for unauthorized requests, like HTTP OPTIONS, TRACE, even if they are enable at server settings. The developed prototype shown very stable and with a little performance cost about 100 microseconds, when operating in active mode (preventing attacks). It wasn't notice considerable delay for passive mode (reactive mode). According to the alert level, the sensor can automatically set some predefined rules in the local server to stop the attack and send alert information to a complete IDS in real time, thus permitting activate some protection rules at border controls (firewalls). Last, I implemented the still not-so-much known/acceptable IDMEF format and IDXP protocol to exchange messages in proper standard. Although lots of work remains to be improved, I cannot continue it for now due other activities (more than a year since I finished). I hope I can put some effort on it and publish for the community. Regards, Leonardo Cavallari Militelli, MSc. / GIAC-GAWN Núcleo de Segurança e Redes de Alta Velocidade Escola Politécnica Universidade de São Paulo www.lsi.usp.br/~nsrav ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Re: How to monitor encrypted connections... abhicc285 (Oct 01)
- Re: How to monitor encrypted connections... Stefano Zanero (Oct 03)
- <Possible follow-ups>
- Re: How to monitor encrypted connections... crazy frog crazy frog (Oct 01)