Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
0
Helpful
1
Replies

IDS, detection of encrypted packets within non-SSL traffic streams?

astroman
Level 1
Level 1

‎02-16-2010 10:30 AM - edited ‎03-10-2019 04:53 AM

All...

Here's the scenario:

There's a host on the internal network that has a reverse shell to the outside world, and the packets being sent back to the attacker are encrypted, over a standard web (TCP/80) port - which is allowed by Websense or URL filter of choice.

Can a custom signature be created to alert on the detection of encrypted packets / data streams over non-encrypted transmissions? We've found other IDS/IPS systems that we're able to build custom sigs to detect and alert on these streams, but are wondering if we can do that in within Cisco IDS/IPS?

Please be specific if possible...let's assume the organization is using the latest version of Cisco IDS software.

Thanks in advance...

Labels:
0 Helpful
1 Reply 1

bnidacoc
Level 1
Level 1

‎02-17-2010 08:40 AM

Have you got Sig 11233 series enabled?  It does, BTW, appear to exclude "WEBPORTS."  Maybe a copy could be made to exclude only TCP 443.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card