IDS mailing list archives
Re: Detecting covert data channels?
From: Ron Gula <rgula () tenablesecurity com>
Date: Tue, 29 May 2007 08:40:21 -0400
Hi Joff, Detecting covert channels and encryption are two separate fields of work. Just because a connection looks encrypted, it might still be legitimate. And a back door that isn't encrypted might still be considered "covert" if you didn't know to look for whatever protocol it implemented. I like to tell users who monitor networks to look for new daemons or listening ports, but there are more advanced back doors that don't use a TCP socket and can communicate with raw packets. There are also other backdoors (as in Malware) that simply surf the web (port 80/443/etc) to web pages that contain jobs for the owned node to do. There is also a large body of work on detecting botnets that communicate and receive commands over IRC, hacked web pages, P2P networks, AIM chat and so on. On our blog, I've written about finding systems which accept or initiate encrypted and/or interactive TCP sessions: http://blog.tenablesecurity.com/2007/02/finding_interac.html As well as looking at large crowd behaviors from netflow/sniffed TCP sessions: http://blog.tenablesecurity.com/2006/08/detecting_crowd.html You might also want to take a look at the Snort signatures available on the Bleeding Threats web site: http://www.bleedingthreat.com/ and look at the wide variety of "detects" for the more common back doors and malware out there. And lastly, I think some of the best published work on finding this sort of communications has been done by Lurhq (now SecureWorks) and you can read several examples here: http://www.secureworks.com/research/threats/ There is no single detect for a covert channel, but if you read through the URLs and links here (plus read the older posts on this list) you should be able to get a sense of the current state of the art for finding many different types of covert channels. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com http://blog.tenablesecurity.com http://www.nessus.org Joff Thyer wrote:
It is reasonably trivial to encode data within packet headers, and even encrypt said data as most are probably aware. There are past examples where control information has been sent within ICMP and other packets using header fields. My question surrounds detection; given that IDS tends to be payload focused, if a covert channel exists that has encrypted data in a packet header, how do we go about detecting it? My initial thought leans toward the fact that encrypted data blocks are statistically flat over time. Given say 'snort', how can we use this idea? I am not a snort expert by any means, so please no flames! I would be happy to summarize opinions. -Joff Thyer
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Detecting covert data channels? Joff Thyer (May 28)
- Re: Detecting covert data channels? vijay upadhyaya (May 29)
- RE: Detecting covert data channels? Omar Herrera (May 29)
- Re: Detecting covert data channels? Kowsik (May 29)
- Re: Detecting covert data channels? Eric Hacker (May 29)
- Re: Detecting covert data channels? Skip Carter (May 29)
- Re: Detecting covert data channels? Ron Gula (May 29)
- Re: Detecting covert data channels? Richard Bejtlich (May 30)
- Re: Detecting covert data channels? Jose Nazario (May 31)