> My question is: what is the best solution to use
> in this case and how can I monitor encrypted
traffic?

I have to put in a plug for Shadow here - Since it
doesn't monitor content, encrypted packet payloads
don't make it any less effective. And, with a good
set of filters, you're really going to find out as
much as you could ever want to about the network and
about suspcious goings-on. I work on a network that
is currently using Shadow and Snort simutaneously, and
while each of them are detecting different things,
I've got to say that Shadow cranks out more than its
share of the detects that we get.

What else could you do? Decrypt all of the traffic on
the fly? Ouch... Either it's not a very strong
encryption, or it'll just take too much time and
processor to keep up with the load. Or, you can
deploy some kind of IDS on the hosts themselves to
look at the traffic and/or the effects of the traffic
after it's been decrypted on that machine, which is
basically what everyone else here is saying.

Well, good luck with whatever you decide to try!

Hackin' away,
Joe Carnahan

=====
Joseph Carnahan
haq4jcyahoo.com
Home: (540) 361-4345
Work: (540) 653-5798
   or (703) 697-6318

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/?.refer=text

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]