Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 3 Sep 2004 09:54:58 -0400
Richard Gadsden wrote:
Granted, that is true. But what about the "stealthier" bot species that have since, in order to evade the port block countermeasure, moved their IRC traffic flows to non-standard ports? Are you able to detect those IRC traffic flows?
There are lots of Snort sigs out for various IRC detections. I'm contemplating configuring our IDP to start doing something proactive with the more egregious traffic.
I see the short-term value of blocking the standard ports (and it sounds like it's been a win for IU), but the gains are already being eroded as the bots "evolve" into using non-standard ports... and as Morrow has just suggested, if/when encryption of the bots' IRC flows becomes common, detecting these flows will be even more difficult :-(
No doubt all malware will eventually evolve into encrypted web traffic. Web services and XML are as valuable to the bad guys as to the good. :) When that happens, we'll be left with few choices: 1) Traffic flow analysis which will be of most use for networks that can define good/bad/normal usage. 2) Organizational encryption/decryption boundaries and/or key escrow 3) Manage the Internet :) -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Craig Blaha (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
(Thread continues...)