RE: Detecting trojans on random ports with encrypted traffic...

[Clint Byrum <cbyrum () spamaps org>]

On Wed, 2002-10-30 at 06:00, Chris Petersen wrote:
> A commercial solution you may also want to investigate is Stealthwatch
> by Lancope.  From what I have read (haven't had hands on unfortunately)
> this technology is uniquely designed to detect those attacks where
> signatures don't or can't exist (e.g., reasons expressed below).
> Stealthwatch detects attacks via "flow-based analysis", that is they
> keep a table of who is talking to who and how.  A newly installed
> trojan/backdoor should initiate a "flow" (unique SIP, DIP, SPort, DPort,
> Protocol) that has never been seen on the network before (e.g., outbound
> connection to attacker).  This flow will be identified and compared to
> the baseline of "normal" flows captured/catalogued where it will be
> determined anomalous and an alarm will be generated.  

Isn't this similar to what SPADE does in snort?

> May be worth investigating
> http://www.lancope.com/
>
>
>
> > -----Original Message-----
> > From: Clint Byrum [mailto:cbyrum () spamaps org] 
> > Sent: Thursday, October 24, 2002 2:22 PM
> > To: focus-ids () securityfocus com
> > Subject: Re: Detecting trojans on random ports with encrypted 
> > traffic...
> >
> >
> > On Thu, 2002-10-24 at 09:03, Frank Knobbe wrote:
> > > Intrusion Detection does not have to rely on signatures 
> > alone. You can 
> > > and should create your own rules that can spot abnormal traffic.
> > >
> > > Since it sounds like you are using Snort, you can write rules that 
> > > detect connections from and to ports that you normally 
> > don't use. The 
> > > classic example is rules for a web server that alerts you 
> > when the web 
> > > server start to establish connection to the outside on its own (not 
> > > counting any connections that are normal like virus scanner 
> > updates). 
> > > Or create rules that allow users to connect to various 
> > allowed ports 
> > > (i.e. ftp, http, ntp), but alerts you when there are odd outbound 
> > > connections (such as some trojans would do).
> > >
> > > If you ad some 'behavioral' rules to Snort, or any IDS, you 
> > can detect 
> > > a great deal more than just with signatures.
> >
> > Well, as I stated in the original post, thats what I'm doing 
> > right now. But I have run in to one situation(only one 
> > detected anyways) where a machine at one site was given a 
> > trojan, running on port 80. The behavioral rules weren't 
> > quite as complete as they should have been, so this wasn't 
> > detected because site to site traffic wasn't considered suspicious.
> >
> > Sometimes behavioral rules can be very hard to write. In most 
> > cases a site has a few servers in the front parts of the 
> > subnet, followed by some network printers, then the client 
> > machines. I suppose aligning things via CIDR would make it 
> > easier to write these types of rules. 
> >
> > Otherwise, when you're talking about sites with hundreds of 
> > users, and > 30 or 40 servers... the rules start to multiply 
> > quickly. And at least with snort... things get less and less 
> > "lightweight" when you're talking about thousands of rules. 
> > Maybe its time to check out Prelude...