Re: ssh and ids

[Ron Gula <rgula () tenablesecurity com>]

At 06:18 PM 6/18/2004 +0000, Runion Mark A FGA DOIM WEBMASTER(ctr) wrote:
> Lets suppose the attacker is mildly sophisticated, and after making the
> initial assault roots the box and installs a secure backdoor or two.  Is
> there any IDS capable of isolating data it cannot read, except to monitor
> authorized port usage of a system or group of systems?

That's interesting you're mentioning this, as we've been working on
this subject for a while with our NeVO passive vulnerability scanner.
We had a lot of success in finding actual compromised systems with
NeVO 1.0 when the backdoor shell or high port SSH daemon was used.
We've seen worms, malicious admins and hackers place backdoor tools
on all sorts of systems and have had NeVO detect these tools as a
service. For example, one of our customers found an SSH daemon
listening on port 22222 with NeVO. Of course, a Nessus or scan for
port 22222 would identify it as an SSH listener, but most people
don't do full port scans across multiple Class Bs.

NeVO 2.0 also extends this analysis to look for generic interactive
or encrypted sessions going to or from your servers. In other words,
when NeVO learns that you have a web server, it will monitor all
traffic to and from that web server to look for any new services
and when it sees this activity, it can report it as a new service,
and encrypted session or an interactive session. It readily detects
things like people binding cmd.exe to a port or running SSH on an
off port. If someone throws cryptcat or some other encrypted program,
NeVO will recognize the session as a potential backdoor. NeVO 2.0
does several other functions above and beyond backdoors detection,
but since it is not released yet, I do not want to discuss them.

Ron Gula, CTO
Tenable Network Security


---------------------------------------------------------------------------

---------------------------------------------------------------------------