IDS mailing list archives

Re: backdoor detection

From: Jose Nazario <jose () monkey org>
Date: Sun, 29 Dec 2002 20:11:10 -0500 (EST)

On Fri, 27 Dec 2002, Ramesh Gupta wrote:

For detecting encrypted backdoors, one has to resort to statistical or
timing analysis of traffic and anomaly detection methods.


in this vein, marius eriksen's tool "netics" could be useful:

        http://monkey.org/~marius/netics/http://monkey.org/~marius/netics/

imagine getting an average entropy and flow length for hosts and services
and then profiling against that. this way you could detect rogue sshd
services (ie on port 31337/tcp) or plaintext services in normally
encrypted traffic (ie an "https" server that's really a telnet proxy).

just a couple of examples.

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/

Current thread:

backdoor detection lee lucy (Dec 27)
- Re: backdoor detection Mattias Hedenskog (Dec 29)
- <Possible follow-ups>
- Re: backdoor detection Ramesh Gupta (Dec 29)
  - Re: backdoor detection Jose Nazario (Dec 30)