Hi, To capture the SSL there is a MITM technique.Suppoes client wants to communicate using SSL then first the IDS/IPS will act as a server to the client and uses fake certificates.all the data come to the IPS/IDS and then they communicate with the real server. the thing which make it work is that user dont check the authencity of the certificates and blindly click on yes,so it works.
-- --------------------------------------- write your infosec blog on http://secgeeks.com register here:- http://secgeeks.com/user/register rss feeds :- http://secgeeks.com/node/feed --------------------------------------- On 9/25/07, Leonardo Cavallari Militelli <[EMAIL PROTECTED]> wrote: > In line: > > > > On my Msc thesis I finished last year, I proposed an IDS/IPS > > > architecture > > > and developed what I call Application-based sensor. > > > In this sense, I debugged Apache behavior and catch the requests > > after > > > they > > > were decrypted and before they were processed by the app server. > > > > How is it different than ModSecurity? > > > In the time I developed my thesis, the WAF concept had just start to be > discussed. I found some solutions like BrachView SSL and McAfee "Intrushield > SSL Traffic Inspection and Prevention" only when I was to present my thesis. > > When I studied ModSecurity, I felt it lacked some features, mainly the > integration with traditional detection/prevention architectures and attack > prevention. Apart from the last that I now is already implemented on new > version of modsecurity, I'm not aware its new capabilities. > > As part of the project, I developed an API to enable interprocess > communication and used portion of snort as a detection engine, so it could > detect web attacks. > Another way to detect user misuse/attacks is based on pre-defined rules, > that protect the application/server for unauthorized requests, like HTTP > OPTIONS, TRACE, even if they are enable at server settings. > > The developed prototype shown very stable and with a little performance cost > about 100 microseconds, when operating in active mode (preventing attacks). > It wasn't notice considerable delay for passive mode (reactive mode). > According to the alert level, the sensor can automatically set some > predefined rules in the local server to stop the attack and send alert > information to a complete IDS in real time, thus permitting activate some > protection rules at border controls (firewalls). > > Last, I implemented the still not-so-much known/acceptable IDMEF format and > IDXP protocol to exchange messages in proper standard. > > Although lots of work remains to be improved, I cannot continue it for now > due other activities (more than a year since I finished). I hope I can put > some effort on it and publish for the community. > > Regards, > > Leonardo Cavallari Militelli, MSc. / GIAC-GAWN > Núcleo de Segurança e Redes de Alta Velocidade > Escola Politécnica > Universidade de São Paulo > www.lsi.usp.br/~nsrav > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
