https://community.cisco.com/t5/network-security/ids-detection-of-encrypted-packets-within-non-ssl-traffic/m-p/1400778#M67995 <P>All...</P><P></P><P>Here's the scenario:</P><P></P><P>There's a host on the internal network that has a reverse shell to the outside world, and the packets being sent back to the attacker are encrypted, over a standard web (TCP/80) port - which is allowed by Websense or URL filter of choice.</P><P></P><P>Can a custom signature be created to alert on the detection of encrypted packets / data streams over non-encrypted transmissions? We've found other IDS/IPS systems that we're able to build custom sigs to detect and alert on these streams, but are wondering if we can do that in within Cisco IDS/IPS?</P><P></P><P>Please be specific if possible...let's assume the organization is using the latest version of Cisco IDS software.</P><P></P><P>Thanks in advance...</P> Sun, 10 Mar 2019 11:53:33 GMT astroman 2019-03-10T11:53:33Z https://community.cisco.com/t5/network-security/ids-detection-of-encrypted-packets-within-non-ssl-traffic/m-p/1400778#M67995 <P>All...</P><P></P><P>Here's the scenario:</P><P></P><P>There's a host on the internal network that has a reverse shell to the outside world, and the packets being sent back to the attacker are encrypted, over a standard web (TCP/80) port - which is allowed by Websense or URL filter of choice.</P><P></P><P>Can a custom signature be created to alert on the detection of encrypted packets / data streams over non-encrypted transmissions? We've found other IDS/IPS systems that we're able to build custom sigs to detect and alert on these streams, but are wondering if we can do that in within Cisco IDS/IPS?</P><P></P><P>Please be specific if possible...let's assume the organization is using the latest version of Cisco IDS software.</P><P></P><P>Thanks in advance...</P> Sun, 10 Mar 2019 11:53:33 GMT https://community.cisco.com/t5/network-security/ids-detection-of-encrypted-packets-within-non-ssl-traffic/m-p/1400778#M67995 astroman 2019-03-10T11:53:33Z https://community.cisco.com/t5/network-security/ids-detection-of-encrypted-packets-within-non-ssl-traffic/m-p/1400779#M67997 <HTML><HEAD></HEAD><BODY><P>Have you got Sig 11233 series enabled?&nbsp; It does, BTW, appear to exclude "WEBPORTS."&nbsp; Maybe a copy could be made to exclude only TCP 443. </P></BODY></HTML> Wed, 17 Feb 2010 16:40:38 GMT https://community.cisco.com/t5/network-security/ids-detection-of-encrypted-packets-within-non-ssl-traffic/m-p/1400779#M67997 bnidacoc 2010-02-17T16:40:38Z