Re: Snort Detect Binary Transfer

["Keith W. McCammon" <mccammon () gmail com>]

> So how about a way to detect if large amounts of
> traffic or a trafic rate is occuring?
>
> For example, if the connection speed grows past
> 5KB/sec, alert.
>
> Is that possible?

You should be able to do this using a threshold rule based on dsize,
although (again) you're not detecting a binary transfer, you're just
detecting an abnormal amount of data flowing to a given host.

Perhaps you might look into MRTG, RRDTool, NTop, or something similar.
 These tools are probably better suited to bandwidth monitoring and
such, since that seems to be as close as you can come to binary
transfer detection, given your situation (SSH).

> --- "Keith W. McCammon" <mccammon () gmail com> wrote:
> > > Does anyone know of a rule to detect if any binary
> > > transfer is occuring?
> >
> > If you're looking for a specific binary, you may be
> > able to do that.
> > But to detect a binary transfer (independent of
> > transport protocol),
> > it would hard to distinguish, for the obvious
> > reasons.  Snort sees the
> > protocol headers at various levels, as well as the
> > data.  If there's a
> > preprocessor involved, then it can do some more
> > specific checks
> > against those protocols.  Unless you can manage a
> > match using one of
> > those methods, it's probably a guessing game at
> > best.
> >
> > > Specifically this would be used for SSH/SFTP/SCP.
> >
> > You're not going to have much luck trying to match
> > against encrypted
> > protocols, unless you've cooked up a new way to pass
> > Snort the session
> > keys.  Try using Tripwire, or some other host-based
> > scheme if you need
> > to detect these types of system changes reliably.
> -------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings &
> > Training.
> > Attend Black Hat Briefings & Training, Las Vegas
> > July 24-29 -
> > digital self defense, top technical experts, no
> > vendor pitches,
> > unmatched networking opportunities. Visit
> > www.blackhat.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or
> > unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
>
>
> http://promotions.yahoo.com/new_mail
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users