topic Re: Threat signatures requiring ssl decryption in General Topics

Threat signatures requiring ssl decryption

Lepton — Thu, 25 Aug 2016 19:57:59 GMT

Is there a way to determine if a threat signature requires ssl decrypt in order to provide protection. I undertsnad this could have at least three posibilities being fully required, partially required, and not required. Using signature 14616 in content version 608 as an example, I cannot determine if I will ever see hits on this threat ID if I don't leverage ssl decrypt on the session.

Re: Threat signatures requiring ssl decryption

BPry — Thu, 25 Aug 2016 20:39:02 GMT

Non of the threat id's *require* that your traffic is decrypted, if it detects the signature then it will trigger. If it can't detect the signature because of the encryption then it will not trigger.

Re: Threat signatures requiring ssl decryption

santonic — Fri, 26 Aug 2016 07:05:18 GMT

Not a single signature will trigger on encrypted traffic. If you want to check encrypted traffic for threats, you MUST decrypt it.

Re: Threat signatures requiring ssl decryption

BPry — Fri, 26 Aug 2016 15:12:43 GMT

santonic,

There is actually quite a few threat signatures that trigger based on packet header information

Re: Threat signatures requiring ssl decryption

santonic — Mon, 29 Aug 2016 06:59:55 GMT

Yeah, signatures which check protocol compliance can still work.

But a short answer would be: if you want to check an encrypted session for possible threats, you have to decrypt it.