tag:blogger.com,1999:blog-4088979.post4431341527898117266..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: NSM vs Encrypted Traffic RevisitedRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-11568666872979551472008-06-11T17:57:00.000-04:002008-06-11T17:57:00.000-04:00Richard, thanks for the response. I think I just g...Richard, thanks for the response. I think I just got bogged down in the original post. I gave it a few reads, but just kinda wanted the quick answer. Now that you pulled that quote out, it of course is clear as day and I'm smacking my forehead. :)<BR/><BR/>Makes sense!Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74564895076422682732008-06-06T12:37:00.000-04:002008-06-06T12:37:00.000-04:00David, thanks for writing that clarification, I wa...David, thanks for writing that clarification, I was just about to do the same. :)<BR/><BR/>Another advantage to the Time Machine is the ability for external tools be to able to talk to it. In Bro, they're implementing a feature in which Bro might notice some interesting activity and it could automatically put out a request to your Time Machine installation to grab all of the traffic relating to the host that raised the interesting activity. Essentially, it helps in creating investigation bundles.Seth Hallhttps://www.blogger.com/profile/12496449784833418201noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-52309335836704183682008-06-05T15:15:00.000-04:002008-06-05T15:15:00.000-04:00BTW, I do think Time Machine is more advanced than...BTW, I do think Time Machine is more advanced than the methods Sguil typically uses. I have blogged a bit about Sguil's packet capture <A HREF="http://blog.vorant.com/2008/04/pcap-indexing.html" REL="nofollow">here</A> and <A HREF="http://blog.vorant.com/2008/05/alternative-pcap-subsystems-for-sguil.html" REL="nofollow">here</A>. Although I didn't talk about Time Machine, I have evaluated it and found it to be quite nice. The cut-off feature for larger sessions is configurable, and could be deployed in many different ways (e.g., only between trusted systems) or not at all. <BR/><BR/>The "advanced" part really comes into play with capture and retrieval performance. Time Machine tries very hard to cache as much as possible in RAM, and it's use of indices to speed up retrieval is very nice. <BR/><BR/>I know it's a little off-topic here, but I just wanted to point out that you can use Time Machine as an advanced packet capture system without sacrificing forensic viability of the data.DavidJBiancohttps://www.blogger.com/profile/09760835714791462863noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-63951528156567389862008-06-05T09:57:00.000-04:002008-06-05T09:57:00.000-04:00by the way, what is SSL sir?by the way, what is SSL sir?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-55920233721563313242008-06-05T07:21:00.000-04:002008-06-05T07:21:00.000-04:00One comment from me -- I neglected to specifically...One comment from me -- I neglected to specifically comment on differences between terminating SSL and providing private keys to the sensor so it can decrypt SSL. The problem with the second approach is that it's really only useful for monitoring inbound traffic to <B>your</B> servers, whereas I'm more concerned with watching outbound traffic to someone else's servers. The passive decryption approach is still an option, but you might consider reviewing logs or using a server-based monitoring approach if you want to see traffic to servers you control.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-3098217364958597442008-06-05T05:19:00.000-04:002008-06-05T05:19:00.000-04:00Wow, I just read, "Tales from the Crypt: fingerpri...Wow, I just read, "Tales from the Crypt: fingerprinting attacks on encrypted channels by way of retainting", which apparently discusses detecting zero-day encrypted attacks. Who would have known?<BR/><BR/>There's also a follow-up paper which discusses implementation, "D2.4: Enhanced NoAH implementation and optimizations" from the European Network of Affined Honeypots.<BR/><BR/>I found, "STILL: Exploit Code Detection via Static Taint and Initialization Analyses" not too difficult of a read compared to other recent publications on this subject.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-87247307560162351412008-06-05T01:41:00.000-04:002008-06-05T01:41:00.000-04:00ssldump can't handle EDHssldump can't handle EDHdrehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com