[Snort-users] Encrypted sessions

Chr. v. Stuckrad stucki at ...3882...
Tue Nov 27 13:26:11 EST 2001


On Tue, Nov 27, 2001 at 01:13:57PM -0800, Erek Adams wrote:
> *sigh*  I just love marketing/sales techno-babble.  Not!
*grin* there is another problem with 'encryption':
I've seen a thing like an IRC-Bot used as DDOS Command-Center
and communicating via an encrypted stream to the hacked host...

No chance to see anything, except if the key is already known.

> If it's encrypted traffic, to examine the traffic you would have to decode it.
But how?  If for example you would want to look for specific bad traffic
(we had that with ssh1) and you want to find logins via ssh, you only
get the fact, that there IS a connection, no contents (else ssh would be
useless anyway).

Stucki

-- 
Christoph von Stuckrad       * *  | nickname  | <stucki at ...3882...> \
Freie Universitaet Berlin    |/_* | 'stucki'  | Tel(days):+49 30 838-75 459 |
Fachbereich Mathematik, EDV  |\ * | if online | Tel(else):+49 30 77 39 6600 |
Arnimallee 2-6/14195 Berlin  * *  | on IRCnet | Fax(alle):+49 30 838-75454 /




More information about the Snort-users mailing list