Re: Detecting trojans on random ports with encrypted traffic...

[Frank Knobbe <fknobbe () knobbeits com>]

Intrusion Detection does not have to rely on signatures alone. You can
and should create your own rules that can spot abnormal traffic.

Since it sounds like you are using Snort, you can write rules that
detect connections from and to ports that you normally don't use. The
classic example is rules for a web server that alerts you when the web
server start to establish connection to the outside on its own (not
counting any connections that are normal like virus scanner updates). Or
create rules that allow users to connect to various allowed ports (i.e.
ftp, http, ntp), but alerts you when there are odd outbound connections
(such as some trojans would do). 

If you ad some 'behavioral' rules to Snort, or any IDS, you can detect a
great deal more than just with signatures.

Regards,
Frank


On Wed, 2002-10-23 at 15:55, Clint Byrum wrote:
> Ok so, we can obviously see sub7 on port 27374 with its known signature
> patterns. But then they go and run it on a different port. And then they
> go and encrypt things(I don't know if sub7 can do this, but for instance
> BO or something else).
>
> The scenario is, a user brings a floppy disk with a trojan on it to the
> location, and puts the trojan on another user's computer. They then sit
> back and watch the keylogging/passwords/etc.etc.
>
> So, is this what SPADE is supposed to handle? I mean.. currently the
> only solution I have come up with is to designate subnets that are not
> supposed to be talking to eachother, and alert on peer to peer traffic.
> But this isn't always possible, and this doesn't cover traffic where the
> trojan is on a server.
>
> Is there any hope to detect this situation?

Attachment: signature.asc
Description: This is a digitally signed message part