[Zeek] Effect of TLS traffic on inspection

Richard Bejtlich richard at corelight.com
Thu Mar 12 05:27:32 PDT 2020


This is NOT intended as an advertisement, but if you want to check it out,
we've been blogging about how to use Zeek vs encrypted traffic on the
Corelight blog.

https://corelight.blog/tag/encryption/

Sincerely,

Richard

On Thu, Mar 12, 2020 at 3:48 AM Abhishek Singh <toabhisheksingh at gmail.com>
wrote:

> Experts,
>
> I was wondering what effect the rise in TLS traffic has on IDS
> applications like Zeek.
> Since Zeek (or other IDS applications like Snort and Suricata) will not be
> able to inspect the content of majority of the connections as they will be
> encrypted, will this make IDS less useful going forward?
> If yes, what are the ways being considered to overcome this challenge? Is
> becoming an inline device with man in the middle capabilities an option? Or
> is TLS offloading to a different device that can send us a copy of the
> decrypted traffic for inspection the preferred option?
>
> Please pardon me if these are naive questions. I am new to the world of
> IDS and am trying to learn more about them.
>
> - Abhi
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Richard Bejtlich
Principal Security Strategist, Corelight
https://corelight.blog/author/richardbejtlich/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200312/a25170bf/attachment.html 


More information about the Zeek mailing list