Hi. What do you mean by inspecting https traffic - you want to monitor content or just if communication has been established between given hosts?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
Anonymous
-
2014-04-05
Its like
-If the HTTPS traffic malicious or not eg: generated by a malware in my system
-Does a malicious user is warping a blocked protocol through HTTPS eg: Stunnel.
I'm working on HTTPS traffic clasification so just want to know how acarmng looks at HTTPS traffic..
Thanks for reply
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
HTTPS by definition is impossible to eavesdrop (at least for now). So there is no way of classifying HTTPS content by external sniffer/IDS. Large companies i.e. banks do this for their workers but it's more involving. You would need to perform man-in-the middle attack: trust your CA in every user's browser (you will need a physical access to every computer you want to "protect") then you will need to issue a fake certificate for every site your user visits (automatically). Then in this proxy node you will have access to unencrypted taffic that can be monitored by basically any sniffer/IDS you want.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm just trying to find out an IDS that does inspect HTTPS traffic..?
Does ACARM inspect HTTPS traffic..?
Hi. What do you mean by inspecting https traffic - you want to monitor content or just if communication has been established between given hosts?
Its like
-If the HTTPS traffic malicious or not eg: generated by a malware in my system
-Does a malicious user is warping a blocked protocol through HTTPS eg: Stunnel.
I'm working on HTTPS traffic clasification so just want to know how acarmng looks at HTTPS traffic..
Thanks for reply
HTTPS by definition is impossible to eavesdrop (at least for now). So there is no way of classifying HTTPS content by external sniffer/IDS. Large companies i.e. banks do this for their workers but it's more involving. You would need to perform man-in-the middle attack: trust your CA in every user's browser (you will need a physical access to every computer you want to "protect") then you will need to issue a fake certificate for every site your user visits (automatically). Then in this proxy node you will have access to unencrypted taffic that can be monitored by basically any sniffer/IDS you want.