IDS mailing list archives
Re: backdoor detection
From: Jose Nazario <jose () monkey org>
Date: Sun, 29 Dec 2002 20:11:10 -0500 (EST)
On Fri, 27 Dec 2002, Ramesh Gupta wrote:
For detecting encrypted backdoors, one has to resort to statistical or timing analysis of traffic and anomaly detection methods.
in this vein, marius eriksen's tool "netics" could be useful: http://monkey.org/~marius/netics/http://monkey.org/~marius/netics/ imagine getting an average entropy and flow length for hosts and services and then profiling against that. this way you could detect rogue sshd services (ie on port 31337/tcp) or plaintext services in normally encrypted traffic (ie an "https" server that's really a telnet proxy). just a couple of examples. ___________________________ jose nazario, ph.d. jose () monkey org http://www.monkey.org/~jose/
Current thread:
- backdoor detection lee lucy (Dec 27)
- Re: backdoor detection Mattias Hedenskog (Dec 29)
- <Possible follow-ups>
- Re: backdoor detection Ramesh Gupta (Dec 29)
- Re: backdoor detection Jose Nazario (Dec 30)