IDS mailing list archives
RE: HTTP based trojans
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 7 Nov 2002 11:59:28 -0500
Yes, except that in Setiri, for example, the communication adheres to HTTP standards. It's not just a trojan using port 80 to slip through firewalls and IDS systems unnoticed; it actually uses Internet Explorer as a component of itself, so that even local app-aware firewalling like ZoneAlarm, Norton Internet Security or BlackIce won't see anything unusual.
-----Original Message----- From: s.wun [mailto:s.wun () thales-is com hk] Sent: Wednesday, November 06, 2002 9:13 PM To: AQBARROS () BKB com br; focus-ids () securityfocus com Subject: Re: HTTP based trojans I think this so-called flow-based IDS is about analyse each end-to-end connection based on what protocol the connection is using. For example, if protocol is 6, it should follow standard TCP communication standard, anything other than that will be regarded as Potential hack. That's why in http connection, it detected communication is not belong to http, so it should be able to raise alarm. One can create this kind of analyse with simple programming, not neccessary to purchase StealthWatch if we understand the principle of it. sam
Current thread:
- RES: HTTP based trojans AQBARROS (Nov 06)
- Re: HTTP based trojans s.wun (Nov 07)
- RE: HTTP based trojans Rob Shein (Nov 07)
- <Possible follow-ups>
- RES: HTTP based trojans AQBARROS (Nov 08)
- Re: HTTP based trojans s.wun (Nov 07)