IDS mailing list archives
Re: Detecting covert data channels?
From: "Richard Bejtlich" <taosecurity () gmail com>
Date: Wed, 30 May 2007 17:04:10 -0400
On 5/25/07, Joff Thyer <jsthyer () gmail com> wrote:
It is reasonably trivial to encode data within packet headers, and even encrypt said data as most are probably aware. There are past examples where control information has been sent within ICMP and other packets using header fields. My question surrounds detection; given that IDS tends to be payload focused, if a covert channel exists that has encrypted data in a packet header, how do we go about detecting it? My initial thought leans toward the fact that encrypted data blocks are statistically flat over time. Given say 'snort', how can we use this idea? I am not a snort expert by any means, so please no flames!
Joff, As Ron pointed out, encrypted channels are not the same as covert channels. However, if you want to find arbitrary encrypted traffic I recommend watching the ShmooCon video of Encrypted Protocol Identification via Statistical Analysis by Rob King and Rohit Dhamankar at http://www.shmoocon.org/2007/videos/ They may be presenting at Black Hat in Las Vegas this summer and might release their code then. Tipping Point will undoubtedly incorporate this feature soon. If you want to know more about detecting covert channels read papers written by Steven J. Murdoch: http://www.cl.cam.ac.uk/~sjm217/ Steven's dissertation will be one of the definitive works on this subject. Sincerely, Richard ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Detecting covert data channels? Joff Thyer (May 28)
- Re: Detecting covert data channels? vijay upadhyaya (May 29)
- RE: Detecting covert data channels? Omar Herrera (May 29)
- Re: Detecting covert data channels? Kowsik (May 29)
- Re: Detecting covert data channels? Eric Hacker (May 29)
- Re: Detecting covert data channels? Skip Carter (May 29)
- Re: Detecting covert data channels? Ron Gula (May 29)
- Re: Detecting covert data channels? Richard Bejtlich (May 30)
- Re: Detecting covert data channels? Jose Nazario (May 31)