On Friday 07 March 2003 09:13, Christoph Haas wrote:
> On Fri, Mar 07, 2003 at 12:25:26AM +0100, Henrik Nordstrom wrote:
> > You can always use IDS tools like snort and the like to detect such
> > strange traffic patterns.
>
> But how can snort tell one SSL connection from the other?
From the, though admittedly little, information I learned, it is not too
hard to get a reasonably good idea what kind of traffic is going through
an SSL tunnel, as ssh-like conversations have wildly different
characteristics than your typical https "conversation" does.
Both in frequency, and in packetsize. I don't know if there is any (snort
or otherwise) implementation to check for such signs, but I will bet it
is feasible. If you already suspect certain individuals you can probably
get enough reasons to get them for breaking company policy.
At least until the 'hackers' start padding the packets and take very big
lag as a neccessary 'feature'. Which is doubtful they can bear...
Maarten
-- This email has been scanned for the presence of computer viruses. Maarten J. H. van den Berg ~~//~~ network administrator VBVB - Amsterdam - The Netherlands - http://vbvb.nl T +31204233288 F +31204233286 G +31651994273Received on Fri Mar 07 2003 - 02:20:36 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:57 MST