Re: Detecting covert data channels?

["Richard Bejtlich" <taosecurity () gmail com>]

On 5/25/07, Joff Thyer <jsthyer () gmail com> wrote:
> It is reasonably trivial to encode data within packet headers, and
> even encrypt said data as most are probably aware.  There are past
> examples where control information has been sent within ICMP and other
> packets using header fields.
>
> My question surrounds detection; given that IDS tends to be payload
> focused, if a covert channel exists that has encrypted data in a
> packet header, how do we go about detecting it?
>
> My initial thought leans toward the fact that encrypted data blocks
> are statistically flat over time.  Given say 'snort', how can we use
> this idea?   I am not a snort expert by any means, so please no
> flames!

Joff,

As Ron pointed out, encrypted channels are not the same as covert
channels.  However, if you want to find arbitrary encrypted traffic I
recommend watching the ShmooCon video of

Encrypted Protocol Identification via Statistical Analysis

by Rob King and Rohit Dhamankar

at

http://www.shmoocon.org/2007/videos/

They may be presenting at Black Hat in Las Vegas this summer and might
release their code then.  Tipping Point will undoubtedly incorporate
this feature soon.

If you want to know more about detecting covert channels read papers
written by Steven J. Murdoch:

http://www.cl.cam.ac.uk/~sjm217/

Steven's dissertation will be one of the definitive works on this subject.

Sincerely,

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------