SSL Solution for IDS - TechRepublic
General discussion
February 25, 2009 at 12:20 PM
tony.gore

SSL Solution for IDS

by tony.gore . Updated 17 years, 4 months ago

An SSL Solution for IDSs

Not long ago I was staring at a desert floor in the wonder paradise of Iraq. Now I find myself back in the IT world in the US. Where it?s become painfully apparent that I am faced with one more dozy of a problem.

To put it simply they?re called BOTs and BOT Herders and the methods implemented to bypass IDS systems and enter a network. Once on the network the chaos and havoc that can ensue is truly amazing! The commands that are so vital to a BOTs operation are sent through encrypted SSL packets.

As I inspected our IDS I noticed that the company I?m with does absolutely nothing with the SSL side of the house. Now it has fallen to me to find a cost effective method to discover BOT traffic inside of those encrypted streams.

My initial thoughts were to find an appliance to do the actual job for me and feed that to an IDS solution. Sounds simple but the appliances I have found out there have only been ones that require me to manually upload the certificate into them in order to break the encryption. Now to you my reader if that is incorrect please by all means let me know and I am not so far removed to admit when I am wrong.

Now I?m looking into using SNORT with the viewSSL daemon to take the packet and match the contents against the rules. All of these actions in effort to determine if there is any bot traffic inside of them.

Sooo Gents and Ladies let the discussions and comments begin.. As I said I am more than open to ALL the solutions your can send out!

Yours?

This discussion is locked

All Comments