Encryption On The Wire

by Josef Weiss
January 9, 2014

This dashboard provides a summary of encrypted communications found on the network. The dashboard is comprised of six components that represent passive encryption detection, active scan data, and log data from LCE.

PVS Detected Encrypted Sessions

This component utilizes PVS to present a graphical representation of encrypted sessions on the wire. Three categories are represented:

  • Internal encrypted sessions detected
  • Outbound encrypted sessions detected
  • Inbound encrypted sessions detected
Generic SSL Client Detection

This component utilizes the IP Summary Tool and three passive plugins to display SSL client information contained in the vulnerability database. The plugins utilized are:

  • 5938 and 5977: SSL Client Detection (Passive)
  • 801050: OpenSSL Detection (LCE)
Private Key Data Leakage Alarms

This component utilizes a series of passive plugins to detect that the remote host has just passed an encryption private key via plaintext on the network. This is a risk in that private keys should only reside on a local system and if they must be passed, they should be encrypted in transit.

Other Detected Encrypted Sessions

This component trends detected SSH, SSL and VPN connections over the last 25 days. This provides a graphical representation of the number of sessions that have occurred from these various types.

Clients with Encrypted Sessions

This component utilizes the IP Summary Tool and the ‘encrypted’ search term to display encrypted sessions. Hosts found in the event database for the last 25 day timeframe are displayed.

Tunneling Protocols Detected

This indicator matrix alert utilizes several passive plugins to determine if any tunneling protocols are detected on the network. While not all protocols are malicious, this indicator provides analysts with the ability to rapidly identify when data that may be of interest is being encapsulated. Plugins in this component are:

  • 1133 Web Server SSLv3 detection
  • 1134 Web Server SSLv2 detection
  • 1135 Web Server SSLv1 detection
  • 1923 TLSv1 Negotiation detection
  • 70556 Cogent Datahub Tunnel/Mirror detection
  • 2542 - 2543 Tor Tunnel detection
  • 3804 SQLYog MySQL HTTP Tunnel detection
  • 3876 Teredo Server detection
  • 3883 Socks 4 Proxy detection
  • 3884 Socks 5 Proxy detection
  • 4193 - 4194 Netopia Timbuktu detection
  • 4969 - 4972, 4975 - 4976 DNS Tunnel (various modes)
  • 6231 SMTP Proxy Traffic detected