RE: Using Snort to find creditcard data?

["Craig Chamberlain" <craig.chamberlain () Q1Labs com>]

What I'm describing in this bit is actually a behavioral detection technique rather than the specification or regexp 
based method (though the combination of the two is often preferable, where available) as the detection failure 
scenarios data inspection are endless, as you point out. What I'm suggesting is that while methods and scenarios for 
obfuscating or concealing data beyond detection or inspection are supernumerary, there are a few elements that can 
usually be reliably detected using flow data, assuming the reporting devices themselves have not been compromised;

1. network transmission took place with between two IP sockets
2. some number of bytes and packets were transmitted, which can be measured
3. the destination address was or was not part of the organization which owns the source
4. the destination address is or is not within expectations (e.g. is it a foreign country or organization with which no 
business relationship exists)
5. (possibly, if you have some packet content samples with the flow data) the application protocol appears to be a 
known application or network protocol
6. this apparent application usage is or is not within expectations - and is or is not typical

With this information, behavioral detection can sometimes find data leaks in the form of anomalous network behavior 
such as the appearance of a new application protocol e.g. a vpn, ssl or ssh connection - especially on a non standard 
port - with a remote destination which is unexpected (while the encrypted data itself is beyond inspection, the 
application protocol itself may be recognizable); or a direct SQL connection from a client desktop, where they normally 
connect through a middleware application, or something else. 

We use a technique we call anomaly detection in the QRadar tool to detect appearance of new behaviors for selected 
high-value systems and networks. useful either as a corroboration to methods like regexp based inspection or as a 
potential method of finding information leaks that evade these detection methods. Of course, there are scenarios where 
new behaviors result from normal changes; none of these methods are perfect, but they are all useful. Combining them 
through correlation can sometimes improve accuracy of detection even further. In my experience, the best method of 
finding misuse patterns like data leaks is through sophisticated event correlation - either manual or programmatic - 
though it needs to be done programmatically in order to scale.

Craig Chamberlain
Principal Security Consultant
craig () q1labs com | www.q1labs.com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Siim Põder
Sent: Friday, October 19, 2007 2:59 AM
To: Craig Chamberlain
Cc: focus-ids () securityfocus com
Subject: Re: Using Snort to find creditcard data?

Yo!

Craig Chamberlain wrote:
> Good point; what I'm suggesting is that while it's relatively easy to 
> hide or obfuscate the data itself, it is hard to conceal the fact that 
> data - or packets - are being transmitted, possibly using a 
> recognizable application protocol, to an unexpected destination, which 
> can be a useful last-ditch detection mechanism when the other methods 
> fail - or can be a useful corroboration when correlated with the other 
> detect data.

There is bound to be some sort of legitimate production traffic. For example, if there are https connections coming in 
to a specific machine and specific port. You can detect if that machine starts sending out data on its own or starts 
accepting connections on another port.
However, if the same port starts serving credit card numbers
(obfuscated) or even hides the credit card numbers in tcp sequence numbers (or does something even more subtle as 
serving them by changing the case of "A" letters in http connections from certain addresses) the  movement of data 
should be extremely hard to detect.

Siim

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------