Snort mailing list archives
Re: covert channel detection?
From: Hugh Fraser <hugh_fraser () dofasco ca>
Date: Tue, 07 Aug 2001 07:32:53 -0400
Chris Green wrote:
"Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> writes:I'm still using Snort 1.7 on Linux and plan to upgrade to 1.8 soon. I was wondering if 1.8 adds any capability to detect covert channels (either icmp or http)? Or does anyone out there use any custom rules for this? Or is it expected that trojan detection will suffice in catching covert channels?The trouble with covert channels is that they are a dime a dozen and each one of them needs to be analyzed separately. The old movie cliche of assassins talking to each other about the multitude of ways to kill a person parallels the discussions that many groups of "security professionals" will have regarding covert channels. It there a particular covert channel you are worried about? The use of SPADE might help detect covert channels (it detects anamolous packets) but it won't be a perfect solution. -- Chris Green <cmg () uab edu> "Yeah, but you're taking the universe out of context."
I'd like to do the same thing. In addition to Snort, I'm also using NFR for intrusion detection, which has the ability to check the age of a connection with each packet received. A simple rule can be written to identify connections which are uncharacteristically old (like DNS, HTTP, etc.). I don't see that ability in Snort.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- covert channel detection? Sheahan, Paul (PCLN-NW) (Aug 06)
- Re: covert channel detection? Chris Green (Aug 06)
- Re: covert channel detection? Hugh Fraser (Aug 07)
- Re: covert channel detection? Ralf Hildebrandt (Aug 07)
- Re: covert channel detection? Hugh Fraser (Aug 07)
- Re: covert channel detection? Chris Green (Aug 06)