RE: ssh and ids

[Melih Kırkgöz (Koç.net) <melihk () koc net>]

NAI Intrushield 2.1 version is capable of detecting and analysing encrypted data packets.
İ have not tested that yet but saw that in their white paper.
İt will be released officially soon i guess

-----Original Message-----
From: Adam Powers [mailto:apowers () lancope com] 
Sent: Saturday, June 19, 2004 7:29 AM
To: focus-ids () securityfocus com
Cc: Runion Mark A FGA DOIM WEBMASTER(ctr)
Subject: Re: ssh and ids


There is really no one full-proof answer to this question (that I'm aware of). Encryption remains the bane of 
network-based intrusion detection technologies.

At the risk of speaking on behalf of such flow-based vendors as Arbor, Mazu, Q1, and (yes, my personal favorite) 
Lancope, I think some of the new behavioral traffic analysis technologies go a long way toward solving some of the 
problems presented by encryption technologies.

<light details>
By observing the duration of a "flow" (read: a TCP socket or series of related sockets) and the manner in which packets 
are exchanged over a "long duration" flow, a behavior-based system can pinpoint those connections that seem to be "out 
of the norm". During the baselining period, a behavior driven system observes connections attributes such as "duration" 
and "relative connectedness" to gain an understanding of the nature of the flows being created by a given network node. 
The flow-based, behavior-driven system should have the ability to discern between a AES gotomypc.com connection over 
TCP 443 and an automatic refresh connection to www.weather.com. The determination that "covert communications" are 
underway is done not through string matching or protocol anomaly but rather through the analysis of the flow attributes 
themselves (duration, packets sent/rcvd, pkt size, etc). Bottoms line: the magic is in the algorithms used to examine 
header traffic. Header traffic is not encrypted. </light details>

The #1 defining attribute of flow-analysis techniques is that they typically DO NOT require use of payload data to 
determine the presence of an attack.

As previously mentioned, there is no fool-proof plan... Flow-based technologies can be tricked... It just requires a 
much different science than that used by snot, sidestep, or encrypted shell shoveling.

- AP



On 6/18/04 2:18 PM, "Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion () us army mil> wrote:

> Lets suppose the attacker is mildly sophisticated, and after making 
> the initial assault roots the box and installs a secure backdoor or 
> two.  Is there any IDS capable of isolating data it cannot read, 
> except to monitor authorized port usage of a system or group of 
> systems?  Not to complicate the question, but when the attacker is 
> using portal gates and all communications traffic is encrypted in 
> normal channels how can an IDS participate?  Monitoring normal traffic 
> patterns seems a bit slow for detection.
>
> -
> Mark Runion
>
>
> ----------------------------------------------------------------------
> -----
>
> ----------------------------------------------------------------------
> -----



---------------------------------------------------------------------------

--------------------------------------------------------------------------- 
_____________________________________________________________________________________________________________________________________________
 
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla 
ulasmissa,  icerigini hic bir sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini 
kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, 
herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu e-posta mesaji viruslere karsi 
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma sistemleri ile 
kontrol ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir 
sorumlulugu kabul etmez.  
This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain 
confidential  information. If you are not the intended recipient of this message or you receive this mail in error, you 
should refrain from making any use of the contents and from opening any attachment. In that case, please notify the 
sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can 
not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the 
presence of computer viruses. In doing so, however,  sender  cannot warrant that virus or other forms of data 
corruption may not be present and do not take any responsibility in any occurrence. 
_____________________________________________________________________________________________________________________________________________
 
 
 
 

---------------------------------------------------------------------------

---------------------------------------------------------------------------