Honeypots mailing list archives
RE: encrypted data honeypots and IDS
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 3 Mar 2005 04:32:48 -0500
Encrypted traffic is certainly a concern to any honeypot administrator, but this problem isn't new or unaddressed. There are several methods and tools you can use to track encrypted traffic, most relying on the fact that even encrypted traffic must be unencrypted on the eventual host to work. The traffic can then be captured and forwarded to a monitoring station. Sebek is the most common tool for this, although it has many limitations in the Windows environment (doesn't capture GUI traffic, etc.). There are many other tools that will capture command-line based traffic, and other tools that will capture the GUI stuff. If you are concerned about encrypted traffic, you can create a offense-in-depth collection of monitoring tools to defeat the encrypted traffic. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: John Galt [mailto:everbeeninlove () gmail com] Sent: Monday, February 21, 2005 7:34 AM To: honeypots () securityfocus com; focus-ids () securityfocus com; security-basics () securityfocus com Subject: encrypted data honeypots and IDS Hello! I have been working with IDS's and honeypots for a while, and have constantly been intruiged by one thing: As long as you control networks, its good to have all traffic encrypted (whether its over http over ssl or ssh instead of telnet etc), but to sniff and analyse data as in an IDS, you need it to be unencrypted. With encryption being used increasingly in so many communications, will that result in the demise of IDSs in the long run, unless they change their architecture in some manner. As an example, snort flags logs whenever there is a return id for root, since it assumes thats an automated script. But something like that over ssh would never get caught. Would be glad if anyone can give any inputs regarding work done to deal with this "problem" regards John Galt
Current thread:
- RE: encrypted data honeypots and IDS Roger A. Grimes (Mar 03)