Snort mailing list archives
Re: Snort Detect Binary Transfer
From: Bamm Visscher <bamm.visscher () gmail com>
Date: Tue, 13 Jul 2004 13:43:58 -0500
Not a rule per say, but it's possible to make an educated guess on whether a binary xfer or possible tunneling via ssh is happening using session/connection/flow/whatever you want to call it data. I short, look at the entire session. Regular ssh sessions cause many 'small' packets, where as scp would generally cause a large, one sided stream. Tunneling would depend on the proto being tunneled, but generally, more data would be seen on one side of the stream, with the other side sending more data than say a scp. Bammkkkk On Tue, 13 Jul 2004 10:32:32 -0700 (PDT), Real Cucumber <monkcucumber () yahoo com> wrote:
Does anyone know of a rule to detect if any binary transfer is occuring? Specifically this would be used for SSH/SFTP/SCP. Just need a simple alert type of rule. Thanks. __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://sguil.sf.net ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Detect Binary Transfer Real Cucumber (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 14)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 14)
- Re: Snort Detect Binary Transfer Omar McKenzie (Jul 17)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Matt Kettler (Jul 13)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)