Snort mailing list archives

Re: Snort Detect Binary Transfer

From: Bamm Visscher <bamm.visscher () gmail com>
Date: Tue, 13 Jul 2004 13:43:58 -0500

Not a rule per say, but it's possible to make an educated guess on
whether a binary xfer or possible tunneling via ssh is happening using
session/connection/flow/whatever you want to call it data.

I short, look at the entire session. Regular ssh sessions cause many
'small' packets, where as scp would generally cause a large, one sided
stream. Tunneling would depend on the proto being tunneled, but
generally, more data would be seen on one side of the stream, with the
other side sending more data than say a scp.

Bammkkkk

On Tue, 13 Jul 2004 10:32:32 -0700 (PDT), Real Cucumber
<monkcucumber () yahoo com> wrote:

Does anyone know of a rule to detect if any binary
transfer is occuring?

Specifically this would be used for SSH/SFTP/SCP.

Just need a simple alert type of rule.

Thanks.

__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
http://sguil.sf.net


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Detect Binary Transfer Real Cucumber (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)
  - Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
    - Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 14)
    - Re: Snort Detect Binary Transfer Bamm Visscher (Jul 14)
    - Re: Snort Detect Binary Transfer Omar McKenzie (Jul 17)
- Re: Snort Detect Binary Transfer Matt Kettler (Jul 13)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 13)