RE: How to monitor encrypted connections...

["Leonardo Cavallari Militelli" <leonardo () lsi usp br>]

In line:

> > On my Msc thesis I finished last year, I proposed an IDS/IPS
> > architecture
> > and developed what I call Application-based sensor.
> > In this sense, I debugged Apache behavior and catch the requests
> after
> > they
> > were decrypted and before they were processed by the app server.
>
> How is it different than ModSecurity?
In the time I developed my thesis, the WAF concept had just start to be
discussed. I found some solutions like BrachView SSL and McAfee "Intrushield
SSL Traffic Inspection and Prevention" only when I was to present my thesis.

When I studied ModSecurity, I felt it lacked some features, mainly the
integration with traditional detection/prevention architectures and attack
prevention. Apart from the last that I now is already implemented on new
version of modsecurity, I'm not aware its new capabilities.

As part of the project, I developed an API to enable interprocess
communication and used portion of snort as a detection engine, so it could
detect web attacks.
Another way to detect user misuse/attacks is based on pre-defined rules,
that protect the application/server for unauthorized requests, like HTTP
OPTIONS, TRACE, even if they are enable at server settings.

The developed prototype shown very stable and with a little performance cost
about 100 microseconds, when operating in active mode (preventing attacks).
It wasn't notice considerable delay for passive mode (reactive mode).
According to the alert level, the sensor can automatically set some
predefined rules in the local server to stop the attack and send alert
information to a complete IDS in real time, thus permitting activate some
protection rules at border controls (firewalls).

Last, I implemented the still not-so-much known/acceptable IDMEF format and
IDXP protocol to exchange messages in proper standard.

Although lots of work remains to be improved, I cannot continue it for now
due other activities (more than a year since I finished). I hope I can put
some effort on it and publish for the community.

Regards,

Leonardo Cavallari Militelli, MSc. / GIAC-GAWN 
Núcleo de Segurança e Redes de Alta Velocidade            
Escola Politécnica
Universidade de São Paulo
www.lsi.usp.br/~nsrav


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------