Snort mailing list archives
Re: Snort Detect Binary Transfer
From: Bamm Visscher <bamm.visscher () gmail com>
Date: Wed, 14 Jul 2004 12:57:11 -0500
Do data analysis based on session data. For example, here I did three different types of ssh connections to my test box (sorry about the readability, but I just exported it from a query within sguil): Sensor||SSN ID||Start Time||End Time||Source IP||Source Port ||Dest IP||Dest Port||Source Packets||Source Bytes||Dest Packets ||Dest Bytes reset||4680432811155636472||2004-07-13 19:49:44||2004-07-13 19:51:37||192.168.8.102||32798||10.1.1.2||22||363||9648||216||20223 reset||4680434039516124695||2004-07-13 19:54:30||2004-07-13 19:54:44||192.168.8.102||32799||10.1.1.2||22||1187||4288||2187||24279 reset||4680435834812621322||2004-07-13 20:01:28||2004-07-13 20:01:46||192.168.8.102||32800||10.1.1.2||22||1195||4336||2163||24327 reset||4680436036675874162||2004-07-13 20:02:15||2004-07-13 20:09:16||192.168.8.102||32801||10.1.1.2||22||238||10336||219||61999 The scp is easy to find as it's the relatively short session (14 secs) and both sides sent a lot of packet (src: 1187 dst: 2187). Unless a user is copy/pasting a lot of text into an interactive ssh cnx, you won't see numbers like that is such a short period of time since once the session is established, you basically get one encrypted packet for each char typed (really fast typers might be able to get two chars in a packet sometimes). So, if you assume that 100 packets were used for setup/tear down, then that'd mean the user would still have to type almost 1000 chars in 14 secs. I'd expect that if I pulled up raw packets related to the connections, I'd find even more differences. For the curious, the first session is an interactive shell where I cd'd around and opened a few files in vi. The third session is where I tunneled sguil comms over ssh. Oh, the data was collected using sancp (http://www.metre.net/sancp.html) and then mined with sguil (http://sguil.sf.net). It would be simple to set up a standard query that you ran every hour/day/whatever to look for 'unwanted' cnxs like those. <shameless plug> This is an example of what we call Network Security Monitoring (NSM) versus IDS. The idea is to use more sources of information to do analysis than just IDS alerts. Check out these two chapters from Richard Bejtlich's soon to be released book "The Tao of Network Secuirity Monitoring" for more info: http://www.awprofessional.com/content/images/0321246772/samplechapter/bejtlich_chs.pdf </shameless plug> Bammkkkk On Wed, 14 Jul 2004 10:06:32 -0700 (PDT), Real Cucumber <monkcucumber () yahoo com> wrote:
Good point. Since the only thing running through this firewall is SSH, but the main purpose of the SSH is to allow access to a legacy text based application with no file transfers allowed, I want to detect if anyone uses SFTP or SCP to download files, so I assume I could detect this judging by the transfer rate. So how about a way to detect if large amounts of traffic or a trafic rate is occuring? For example, if the connection speed grows past 5KB/sec, alert. Is that possible?
-- http://sguil.sf.net ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Detect Binary Transfer Real Cucumber (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 14)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 14)
- Re: Snort Detect Binary Transfer Omar McKenzie (Jul 17)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Matt Kettler (Jul 13)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)