IDS/IPS for detecting/preventing unauthorized VPN or encrypted traffic. Maybe SNORT?
Here's my not so theoretical scenario: A day-one Trojan horse attack where the attacker sets up a secure connection back to himself using a well known trusted port, such as 80 21 443. Or for instance, if a malicious user takes advantage of an open source tool such as openvpn to secure and route a connection out through a trusted port from within the company, effectively making all security mitigations useless.
Is there any way that either snort or some other product could detect an initializing secure connection whether it be SSL/TLS or IPSEC? I realize that once the connection is established it becomes very difficult to find, that's my problem.
My main question: Is there any way to detect the exchange of public keys and log who's doing it?
Thanks in advanced!