On Mon, Jul 17, 2017 at 8:02 AM, Dobbins, Roland <rdobb...@arbor.net> wrote: > > > On Jul 17, 2017, at 14:14, Russ Housley <hous...@vigilsec.com> wrote: > > I think that the IDS is trying to detect the an infected server trying to > migrate to another server. Malware often includes a series of exploits that > are tried in sequence to infect a neighbor, and this activity provides a > detectable signature. > > > Correct. And not just between servers.
I think the point that Martin was making (and if he wasn't, I will): that malware is becoming increasingly aware that IDS/IPS and TLS proxy boxes are looking into TLS traffic, and they're beginning to encrypt traffic inside the TLS tunnel. That pushes the problem back into the application layer, and on the endpoint to be dealt with by antivirus tools. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
