Re: Snort Detect Binary Transfer

[Matt Kettler <mkettler () evi-inc com>]

At 01:32 PM 7/13/2004, Real Cucumber wrote:
> Does anyone know of a rule to detect if any binary
> transfer is occuring?
>
> Specifically this would be used for SSH/SFTP/SCP.

And how exactly would it be possible for someone watching the wire to know 
such a thing was occurring over SSH?

You do realize that SSH/SFTP/SCP is an encrypted protocol, and as such it's 
specificaly designed to make it difficult to know anything about the data 
being transfered.. That's what encryption is all about.

Given that SSH is encrypted, text payload vs binary payload look the same.

Or are you just trying to detect the use of SSH? If you just want to detect 
SSH in the first place, don't look for binary.. look for the text strings 
that are passed as the client and server greet each other with version 
strings. This happens before encryption is started, so you can look for it 
rather easily.

One of the bleeding-edge snort rules specificaly looks for SSH over 
non-standard ports:


#Submitted by Joel Esler
alert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard SSH 
Port Usage"; flags:AP+;content: "SSH-"; depth:8; sid:2000354; rev:1;)


It looks a little broad to me and might have some FPs, but it's a good 
starting point. 



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users