Re: covert channel detection?

[Chris Green <cmg () uab edu>]

"Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> writes:

> I'm still using Snort 1.7 on Linux and plan to upgrade to 1.8 soon. I was
> wondering if 1.8 adds any capability to detect covert channels (either icmp
> or http)? Or does anyone out there use any custom rules for this? Or is it
> expected that trojan detection will suffice in catching covert channels?

The trouble with covert channels is that they are a dime a dozen and
each one of them needs to be analyzed separately.  The old movie
cliche of assassins talking to each other about the multitude of ways
to kill a person parallels the discussions that many groups of
"security professionals" will have regarding covert channels.

It there a particular covert channel you are worried about?  The use
of SPADE might help detect covert channels (it detects anamolous
packets) but it won't be a perfect solution.
-- 
Chris Green <cmg () uab edu>
"Yeah, but you're taking the universe out of context."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users