IDS, detection of encrypted packets within non-SSL traffic streams?
Here's the scenario:
There's a host on the internal network that has a reverse shell to the outside world, and the packets being sent back to the attacker are encrypted, over a standard web (TCP/80) port - which is allowed by Websense or URL filter of choice.
Can a custom signature be created to alert on the detection of encrypted packets / data streams over non-encrypted transmissions? We've found other IDS/IPS systems that we're able to build custom sigs to detect and alert on these streams, but are wondering if we can do that in within Cisco IDS/IPS?
Please be specific if possible...let's assume the organization is using the latest version of Cisco IDS software.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...