Re: covert channel detection?

[Hugh Fraser <hugh_fraser () dofasco ca>]

Chris Green wrote:

> "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> writes:
>
> > I'm still using Snort 1.7 on Linux and plan to upgrade to 1.8 soon. I was
> > wondering if 1.8 adds any capability to detect covert channels (either icmp
> > or http)? Or does anyone out there use any custom rules for this? Or is it
> > expected that trojan detection will suffice in catching covert channels?
>
> The trouble with covert channels is that they are a dime a dozen and
> each one of them needs to be analyzed separately.  The old movie
> cliche of assassins talking to each other about the multitude of ways
> to kill a person parallels the discussions that many groups of
> "security professionals" will have regarding covert channels.
>
> It there a particular covert channel you are worried about?  The use
> of SPADE might help detect covert channels (it detects anamolous
> packets) but it won't be a perfect solution.
> --
> Chris Green <cmg () uab edu>
> "Yeah, but you're taking the universe out of context."

I'd like to do the same thing. In addition to Snort, I'm also using NFR for
intrusion detection, which has the ability to check the age of a connection with
each packet received. A simple rule can be written to identify connections which
are uncharacteristically old (like DNS, HTTP, etc.). I don't see that ability in
Snort.

> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users