[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] RSSS and SSL traffic



Nick,

For network or server sensor?

If using network sensors a so called ssl-proxy is recommended. If a server sensor is in place it should be Apache on Microsoft for ssl-decryption.


Mit freundlichen Gruessen / Best regards,


Stephan Luedorf


-----Original Message-----
From: issforum-bounces@xxxxxxx [mailto:issforum-bounces@xxxxxxx] On Behalf Of Nicholas Cross
Sent: Sunday, August 28, 2005 11:37 PM
To: issforum; robert.sneddon@xxxxxxxxxxxxxx; simon.doyle@xxxxxxxxxxxxxx; Cross Nick
Subject: [ISSForum] RSSS and SSL traffic

* PGP Signed by an unknown key: 08/28/2005 at 10:37PM Can anyone answer the following?

How does the RSSS matches signatures to decrypted SSL traffic on say an apache server?

If the pam.TCPPORTS.http only contains 80 and not 443, does the engine ignore the decoded SSL traffic as it was heading for port 443, thus the signatures for HTTP_* are not parsed for that payload?

If i do something like this https://myserver.com/../../../../etc/passwd
i would expect to see either a DOT_DOT or PASSWORD signature event but i'm not.  What am i doing wrong?

Pointers to ISS white papers/docs would be good.

Cheers,

Nick.
* Unknown Key
* 0x1D0E138E (L)


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


*****************************************************************************
Probleme mit Spam Mails?
Glauben Sie, Ihr Viren- und Spam Schutz kostet Sie zuviel?
Dann testen Sie e:scan V3 powered by postini kostenlos mit unserer Trial Version!!

Mehr Infos unter:
http://www.integralis.de/services_managed_services_escan.php
*****************************************************************************

Please note that:
 
1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

http://www.integralis.com


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.