IDS mailing list archives

Re: Detecting covert data channels?

From: jasonj () hotmail com
Date: 8 Jul 2007 09:05:33 -0000

 
If the data is encoded in the header then it might be very difficult the check the presence of covert channels. 
www.2factor.us/tunnel.html has  discussed and implemented such kind of system where in malicious covert channel is 
established by the unused header fields and the channel is encrypted.

 One of the solution (discussed at www.2factor.us/tunnel) for the IPS can be to normalize or enforce policies in the 
unused header fields. This can prevent the malicious covert channel. 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Detecting covert data channels? jasonj (Jul 12)
- <Possible follow-ups>
- Re: Detecting covert data channels? jeremy (Jul 17)
  - Re: Detecting covert data channels? Eric Hacker (Jul 17)
  - Re: Detecting covert data channels? Joff Thyer (Jul 17)