[Snort-users] Encrypted sessions
erek at ...577...
Tue Nov 27 13:31:03 EST 2001
On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:
> *grin* there is another problem with 'encryption':
> I've seen a thing like an IRC-Bot used as DDOS Command-Center
> and communicating via an encrypted stream to the hacked host...
> No chance to see anything, except if the key is already known.
Right! But I was (pardon the pun) 'keying off' on the fact it was 'our
mailservers/webservers'. I made the assumption that they had they keys. :)
> But how? If for example you would want to look for specific bad traffic
> (we had that with ssh1) and you want to find logins via ssh, you only
> get the fact, that there IS a connection, no contents (else ssh would be
> useless anyway).
Right again! If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13, then
you've got a bit of a chance. :) But if it's something akin to ssh--Good
More information about the Snort-users