[Zeek] Effect of TLS traffic on inspection
Abhishek Singh
toabhisheksingh at gmail.com
Thu Mar 12 00:46:31 PDT 2020
Experts,
I was wondering what effect the rise in TLS traffic has on IDS applications
like Zeek.
Since Zeek (or other IDS applications like Snort and Suricata) will not be
able to inspect the content of majority of the connections as they will be
encrypted, will this make IDS less useful going forward?
If yes, what are the ways being considered to overcome this challenge? Is
becoming an inline device with man in the middle capabilities an option? Or
is TLS offloading to a different device that can send us a copy of the
decrypted traffic for inspection the preferred option?
Please pardon me if these are naive questions. I am new to the world of IDS
and am trying to learn more about them.
- Abhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200312/35370b68/attachment.html
More information about the Zeek
mailing list