Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: detecting tunnels with Snort

From: "Michael Scheidell" <scheidell () secnap net>
Date: Mon, 6 Mar 2006 17:31:10 -0500


-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Radu Spineanu
Sent: Sunday, March 05, 2006 10:12 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] detecting tunnels with Snort


Hi

Is it possible to detect different types of tunnels (gre, ipsec, http
tunnels) that cross a network boundary by using snort ?


Yes, if you write a signature for it.

No, there are no signatures currently for it.

Maybe, as there are a lot of different tunnels, and you would need to
not only write a signature for it, but take into account the 'normal'
traffic on that port.

Example:  a tunnel on udp port 53 SHOULD NOT HAVE A PACKER LARGER THAN
254 BYTES, as the dns rfc's on the dns query that is associated with
that port should mark 'large packet', if query answer is larger than 254

(so, you could 'protect' udp port 53 with a signature that:
A) triggered if you got udp port 53 traffic on an UNKNOWN DNS SERVER,
B) triggered if the packet length is > 254 bytes
(note, tunnel writer could break packets up)

Icmp:  if 'unknown' icmp types are used, you could trigger on that.
  Or, if icmp 'return traffic' came from addresses that did not send it
out.
  If icmp timestamp packet came in that didn't have a timestamp, etc.

TCP, well if the encrypted traffic over port 80, 

I guess you would need an application engine, and assign 'normal'
traffic to each open port and write signatures looking for abnormal
traffic.

(but, you could still encapsulate TUNNEL traffic inbetween 'valid
looking' HTTP ports on port 80)



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: