IDS mailing list archives
RE: Detecting trojans on random ports with encrypted traffic...
From: "Carey, Steve T ISD" <steve.carey () redstone army mil>
Date: Wed, 23 Oct 2002 21:08:47 -0500
One of the things I have noticed is that for any encryption the initial phase is unencrypted and normally has enough information to identify the program, whether a Trojan or a normal program. If you miss that first set of pushes, then you can't tell bad (Trojan) traffic from good (normal) traffic. -----Original Message----- From: Clint Byrum To: focus-ids () securityfocus com Sent: 10/23/2002 3:55 PM Subject: Detecting trojans on random ports with encrypted traffic... Ok so, we can obviously see sub7 on port 27374 with its known signature patterns. But then they go and run it on a different port. And then they go and encrypt things(I don't know if sub7 can do this, but for instance BO or something else). The scenario is, a user brings a floppy disk with a trojan on it to the location, and puts the trojan on another user's computer. They then sit back and watch the keylogging/passwords/etc.etc. So, is this what SPADE is supposed to handle? I mean.. currently the only solution I have come up with is to designate subnets that are not supposed to be talking to eachother, and alert on peer to peer traffic. But this isn't always possible, and this doesn't cover traffic where the trojan is on a server. Is there any hope to detect this situation?
Current thread:
- RE: Detecting trojans on random ports with encrypted traffic... Carey, Steve T ISD (Oct 23)
- <Possible follow-ups>
- Detecting trojans on random ports with encrypted traffic... Clint Byrum (Oct 23)
- Re: Detecting trojans on random ports with encrypted traffic... Frank Knobbe (Oct 24)
- Re: Detecting trojans on random ports with encrypted traffic... Clint Byrum (Oct 24)
- RE: Detecting trojans on random ports with encrypted traffic... Chris Petersen (Oct 30)
- RE: Detecting trojans on random ports with encrypted traffic... Clint Byrum (Oct 30)
- Re: Detecting trojans on random ports with encrypted traffic... Frank Knobbe (Oct 24)