Here’s my not so theoretical scenario: A day-one Trojan horse attack where the attacker sets up a secure connection back to himself using a well known trusted port, such as 80 21 443. Or for instance, if a malicious user takes advantage of an open source tool such as openvpn to secure and route a connection out through a trusted port from within the company, effectively making all security mitigations useless.
Is there any way that snort could detect an initializing secure connection whether it be SSL/TLS or IPSEC? I realize that once the connection is established it becomes very difficult to find, that’s my problem.
My main question: Is there any way to detect the exchange of public keys and log who’s doing it?
Thanks in advanced!