View Single Post
  #7   (View Single Post)  
Old 15th July 2013
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
Join Date: Jul 2013
Posts: 13

Snort is deployed where I work. It takes a lot of additional glue and duct tape in order for it to function cleanly.

Under my alias ejr2122, I was just saying on the FreeBSD Forums:

HIDS / IDS / IPS are all great.

One of these tools could be made to detect what looks like suspicious SSL connection initiations. When the detection occurs, perhaps it could start a MITM attack to inspect it first. It would i.e. be an SSL gateway / proxy.
I've been in the cybersecurity industry for only a few months now and have already seen successful and unsuccessful rootkit infection attempts on some servers. In a couple cases, attackers attempted to download special Perl scripts to the server. These Perl scripts would start an IRC session with some C&C server. Subroutines were defined in the Perl script for various system functions.

While IRC like many protocols can be caught by IDS analysis, SSL encrypted traffic is difficult. SSH through port 80 seemed like the most common-place example of SSL traffic network admins might want to catch.
Reply With Quote