On Friday 07 March 2003 09:13, Christoph Haas wrote: > On Fri, Mar 07, 2003 at 12:25:26AM +0100, Henrik Nordstrom wrote: > > You can always use IDS tools like snort and the like to detect such > > strange traffic patterns. > > But how can snort tell one SSL connection from the other?
>From the, though admittedly little, information I learned, it is not too hard to get a reasonably good idea what kind of traffic is going through an SSL tunnel, as ssh-like conversations have wildly different characteristics than your typical https "conversation" does. Both in frequency, and in packetsize. I don't know if there is any (snort or otherwise) implementation to check for such signs, but I will bet it is feasible. If you already suspect certain individuals you can probably get enough reasons to get them for breaking company policy. At least until the 'hackers' start padding the packets and take very big lag as a neccessary 'feature'. Which is doubtful they can bear... Maarten -- This email has been scanned for the presence of computer viruses. Maarten J. H. van den Berg ~~//~~ network administrator VBVB - Amsterdam - The Netherlands - http://vbvb.nl T +31204233288 F +31204233286 G +31651994273
