Re: Snort Detect Binary Transfer

["Keith W. McCammon" <mccammon () gmail com>]

> Does anyone know of a rule to detect if any binary
> transfer is occuring?

If you're looking for a specific binary, you may be able to do that. 
But to detect a binary transfer (independent of transport protocol),
it would hard to distinguish, for the obvious reasons.  Snort sees the
protocol headers at various levels, as well as the data.  If there's a
preprocessor involved, then it can do some more specific checks
against those protocols.  Unless you can manage a match using one of
those methods, it's probably a guessing game at best.
 
> Specifically this would be used for SSH/SFTP/SCP.

You're not going to have much luck trying to match against encrypted
protocols, unless you've cooked up a new way to pass Snort the session
keys.  Try using Tripwire, or some other host-based scheme if you need
to detect these types of system changes reliably.


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users