Hi Pramote, Edit your Sensor's current policy, click on the "Connection Events" Tab. Click on the "Add" button and enter a name (like "HTTPS", or something you could recognize later). Expand the Tree at left pane and search for the event you just created (it would be at the end) and click on it. Configure: Protocol = tcp; Destination -> Service (click on the "..." button) = choose https and click on OK. Also, you could enter some description and/or change the priority of the event.
Close the Policy Editor and choose Yes to save and apply the policy. This new connection event you created will inform you when packets using HTTPS (TCP 443) as destination were seen. If you want you could create a similar rule to fire when packets using HTTPS as 'source' port are discovered (that means the response from the Web Server). You can't use the same event connection rule created before to catch both, you need two of them, one for destination and one for source port, but the name of this new event rule could be the same as the previous one. Off course, this connection events you created can't decrypt the information exchanged between the browser and the web server and are useless to find vulnerabilities been exploited. In order to do that you could try BreachView SSL (Breach Security, Inc.) this software claims for decrypt SSL traffic for RealSecure Network Sensor 7.0 and make this traffic visible for Sensor's engine. I haven't tested yet and I don't know if is officially supported by ISS, but you could try it. http://www.breach.com/products_breachviewssl.asp http://www.breach.com/downloads/product/BreachView_SSL_Frequently_Asked_Questions.pdf Regards, Italo Tapia Sch., CISSP, ISS-Certified Specialist (ISS-CS) Research & Development Engineer OriĆ³n 2000 S.A. Chile _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
