[Zeek] Effect of TLS traffic on inspection
Kevin Ross
kevross33 at googlemail.com
Thu Mar 12 09:01:34 PDT 2020
These are helpful talks on the subject on using zeek style metadata
JA3 asking for a friend (2019):
https://www.youtube.com/watch?v=HrP6Ep3xgQM&t=684s
Network forensics in an encrypted world (2017 but covers a lot of
indicators you can hunt on)
https://www.youtube.com/watch?v=APHlvFaUEKE&t=1930s
Encrypted things: Network detection and response in an encrypted world
https://www.youtube.com/watch?v=HPvIGP2mgbI&t=2667s
Security Onion Conference 2019: Finding traffic anomalies using SSL
certificates https://www.youtube.com/watch?v=-WD9BWlENwc&t=762s
On Thu, 12 Mar 2020, 07:49 Abhishek Singh, <toabhisheksingh at gmail.com>
wrote:
> Experts,
>
> I was wondering what effect the rise in TLS traffic has on IDS
> applications like Zeek.
> Since Zeek (or other IDS applications like Snort and Suricata) will not be
> able to inspect the content of majority of the connections as they will be
> encrypted, will this make IDS less useful going forward?
> If yes, what are the ways being considered to overcome this challenge? Is
> becoming an inline device with man in the middle capabilities an option? Or
> is TLS offloading to a different device that can send us a copy of the
> decrypted traffic for inspection the preferred option?
>
> Please pardon me if these are naive questions. I am new to the world of
> IDS and am trying to learn more about them.
>
> - Abhi
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200312/e39a78fe/attachment.html
More information about the Zeek
mailing list