[Snort-users] Encrypted sessions

Erek Adams erek at ...577...
Tue Nov 27 13:31:03 EST 2001


On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:

> *grin* there is another problem with 'encryption':
> I've seen a thing like an IRC-Bot used as DDOS Command-Center
> and communicating via an encrypted stream to the hacked host...
>
> No chance to see anything, except if the key is already known.

Right!  But I was (pardon the pun) 'keying off' on the fact it was 'our
mailservers/webservers'.  I made the assumption that they had they keys.  :)

> But how?  If for example you would want to look for specific bad traffic
> (we had that with ssh1) and you want to find logins via ssh, you only
> get the fact, that there IS a connection, no contents (else ssh would be
> useless anyway).

Right again!  If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13, then
you've got a bit of a chance.   :)  But if it's something akin to ssh--Good
luck.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list