IDS mailing list archives
Re: ssh and ids
From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 21 Jun 2004 11:20:27 -0400
At 06:18 PM 6/18/2004 +0000, Runion Mark A FGA DOIM WEBMASTER(ctr) wrote:
Lets suppose the attacker is mildly sophisticated, and after making the initial assault roots the box and installs a secure backdoor or two. Is there any IDS capable of isolating data it cannot read, except to monitor authorized port usage of a system or group of systems?
That's interesting you're mentioning this, as we've been working on this subject for a while with our NeVO passive vulnerability scanner. We had a lot of success in finding actual compromised systems with NeVO 1.0 when the backdoor shell or high port SSH daemon was used. We've seen worms, malicious admins and hackers place backdoor tools on all sorts of systems and have had NeVO detect these tools as a service. For example, one of our customers found an SSH daemon listening on port 22222 with NeVO. Of course, a Nessus or scan for port 22222 would identify it as an SSH listener, but most people don't do full port scans across multiple Class Bs. NeVO 2.0 also extends this analysis to look for generic interactive or encrypted sessions going to or from your servers. In other words, when NeVO learns that you have a web server, it will monitor all traffic to and from that web server to look for any new services and when it sees this activity, it can report it as a new service, and encrypted session or an interactive session. It readily detects things like people binding cmd.exe to a port or running SSH on an off port. If someone throws cryptcat or some other encrypted program, NeVO will recognize the session as a potential backdoor. NeVO 2.0 does several other functions above and beyond backdoors detection, but since it is not released yet, I do not want to discuss them. Ron Gula, CTO Tenable Network Security --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: ssh and ids, (continued)
- Re: ssh and ids Martin Roesch (Jun 21)
- Re: ssh and ids Tony Carter (Jun 22)
- Re: ssh and ids Jason (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Martin Roesch (Jun 21)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids David W. Goodrum (Jun 22)
- RE: ssh and ids Thierry Evangelista (Jun 23)
- Re: ssh and ids David W. Goodrum (Jun 23)
- Re: ssh and ids Tony Carter (Jun 24)