<div dir="ltr">This is NOT intended as an advertisement, but if you want to check it out, we've been blogging about how to use Zeek vs encrypted traffic on the Corelight blog.<div><br></div><div><a href="https://corelight.blog/tag/encryption/">https://corelight.blog/tag/encryption/</a> </div><div><br></div><div>Sincerely,</div><div><br></div><div>Richard <br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 12, 2020 at 3:48 AM Abhishek Singh <<a href="mailto:toabhisheksingh@gmail.com">toabhisheksingh@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Experts,<div><br></div><div>I was wondering what effect the rise in TLS traffic has on IDS applications like Zeek. </div><div>Since Zeek (or other IDS applications like Snort and Suricata) will not be able to inspect the content of majority of the connections as they will be encrypted, will this make IDS less useful going forward? </div><div>If yes, what are the ways being considered to overcome this challenge? Is becoming an inline device with man in the middle capabilities an option? Or is TLS offloading to a different device that can send us a copy of the decrypted traffic for inspection the preferred option? </div><div><br></div><div>Please pardon me if these are naive questions. I am new to the world of IDS and am trying to learn more about them.</div><div><br></div><div>- Abhi</div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Richard Bejtlich<div>Principal Security Strategist, Corelight</div><div><a href="https://corelight.blog/author/richardbejtlich/" target="_blank">https://corelight.blog/author/richardbejtlich/</a><br></div></div></div></div></div></div></div>