Jean, On my Msc thesis I finished last year, I proposed an IDS/IPS architecture and developed what I call Application-based sensor. In this sense, I debugged Apache behavior and catch the requests after they were decrypted and before they were processed by the app server.
BTW, Did you check about WAF - Web Application firewall?? Regards, Leonardo Cavallari Militelli, MSc. / GIAC-GAWN Universidade de São Paulo - USP www.lsi.usp.br/~nsrav ---------------------------------------------------------------------------- ------------------------------------------- Esta mensagem e seu conteúdo é dedicada exclusivamente para seu(s) destinatário(s), podendo conter material confidencial. Qualquer modificação, retransmissão, disseminação ou outro uso, assim como a tomada de qualquer ação baseada nessas informações por pessoas não autorizadas, é estritamente proibida. Se você recebeu esta mensagem por engano, por favor informe o remetente e imediatamente destrua todo o material e suas cópias. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ofer Shezaf Sent: domingo, 23 de setembro de 2007 10:51 To: Jean-Pierre FORCIOLI; [email protected] Subject: RE: How to monitor encrypted connections... There are basically three ways to monitor SSL traffic: + Terminate at the edge of the network and connect your IDS to the cleartext segment. While trivial, this is the most common solution. The disadvantages are of course: (a) Decrypting early, requiring your data to flow through part of your network unencrypted. (b) Need for an additional device to decrypt SSL at the edge. + SSL Bridge - terminate and then re-encrypt. Works only for an in-line device and might validate non-repudiation. + Passively decrypt - decrypt a copy of the traffic, without actually being part of the conversation. This one is the best add on for existing IDS systems (*SAMELESS PLUG* we sell such an add on) ~ Ofer Ofer Shezaf [EMAIL PROTECTED], Phone:+972-9-9560036 #212, Cell: +972-54-4431119 CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jean-Pierre FORCIOLI > Sent: Wednesday, September 19, 2007 7:23 PM > To: [email protected] > Subject: How to monitor encrypted connections... > > Hi, > > Still working on my IDS/IPS project... > When browsing some IDS/IPS vendors' datasheets, I noticed that some of > them > claimed being able to monitor encrypted traffic. > Could someone provide me with some insight on what is currently > possible (and already > implemented) and what are the eventual limitations? > > Best regards. > > ----------------------------------------------------------------------- > - > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campai > gn=intro_sfw > to learn more. > ----------------------------------------------------------------------- > - ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
