Snort mailing list archives
Re: Snort Detect Binary Transfer
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 13 Jul 2004 14:02:43 -0400
At 01:32 PM 7/13/2004, Real Cucumber wrote:
Does anyone know of a rule to detect if any binary transfer is occuring? Specifically this would be used for SSH/SFTP/SCP.
And how exactly would it be possible for someone watching the wire to know such a thing was occurring over SSH?
You do realize that SSH/SFTP/SCP is an encrypted protocol, and as such it's specificaly designed to make it difficult to know anything about the data being transfered.. That's what encryption is all about.
Given that SSH is encrypted, text payload vs binary payload look the same.Or are you just trying to detect the use of SSH? If you just want to detect SSH in the first place, don't look for binary.. look for the text strings that are passed as the client and server greet each other with version strings. This happens before encryption is started, so you can look for it rather easily.
One of the bleeding-edge snort rules specificaly looks for SSH over non-standard ports:
#Submitted by Joel Esleralert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard SSH Port Usage"; flags:AP+;content: "SSH-"; depth:8; sid:2000354; rev:1;)
It looks a little broad to me and might have some FPs, but it's a good starting point.
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Detect Binary Transfer Real Cucumber (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 14)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 14)
- Re: Snort Detect Binary Transfer Omar McKenzie (Jul 17)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Matt Kettler (Jul 13)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)