Snort mailing list archives
Re: Snort Detect Binary Transfer
From: "Keith W. McCammon" <mccammon () gmail com>
Date: Wed, 14 Jul 2004 13:51:33 -0400
So how about a way to detect if large amounts of traffic or a trafic rate is occuring? For example, if the connection speed grows past 5KB/sec, alert. Is that possible?
You should be able to do this using a threshold rule based on dsize, although (again) you're not detecting a binary transfer, you're just detecting an abnormal amount of data flowing to a given host. Perhaps you might look into MRTG, RRDTool, NTop, or something similar. These tools are probably better suited to bandwidth monitoring and such, since that seems to be as close as you can come to binary transfer detection, given your situation (SSH).
--- "Keith W. McCammon" <mccammon () gmail com> wrote:Does anyone know of a rule to detect if any binary transfer is occuring?If you're looking for a specific binary, you may be able to do that. But to detect a binary transfer (independent of transport protocol), it would hard to distinguish, for the obvious reasons. Snort sees the protocol headers at various levels, as well as the data. If there's a preprocessor involved, then it can do some more specific checks against those protocols. Unless you can manage a match using one of those methods, it's probably a guessing game at best.Specifically this would be used for SSH/SFTP/SCP.You're not going to have much luck trying to match against encrypted protocols, unless you've cooked up a new way to pass Snort the session keys. Try using Tripwire, or some other host-based scheme if you need to detect these types of system changes reliably.-------------------------------------------------------This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Detect Binary Transfer Real Cucumber (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 14)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 14)
- Re: Snort Detect Binary Transfer Omar McKenzie (Jul 17)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Matt Kettler (Jul 13)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)