[Discussion] Capture Clients?
Matt Jonkman
jonkman at jonkmans.com
Fri Apr 3 19:00:04 UTC 2009
So you mean for instance in the event of an https ddos? Or some form of
encrypted session.
Have the client grab it after decryption and save to be analyzed?
Matt
Kevin Ross wrote:
> Hi I was thinking, imagine if an intrusion was detected between a
> maclicious host, say 81.1.1.1 and the victim 10.0.0.2 with the
> Distributed IDS in between. What if an attack was underway there was
> agents available for clients/servers which then the distributed IDS
> could use to capture activity? i.e network activity etc between it and
> the compromised host. Ie say there was an attack, the distributed IDS
> master sensor will "say" to the agent on 10.0.0.2 "record all
> communications you have with 81.1.1.1 and then forward it to me".
>
> This way greater visibility is given into the attack providing greater
> forensic information. especially if encyrption is then used to hide
> attack responses, backdoors, whatver. The agent perhaps could then be
> used in some sort of active response on the client but ideally just a
> small capture agent. This would give more attack information,
> confirmation if the attack was successful.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list