Home page logo

bugtraq logo Bugtraq mailing list archives

SNORT Covered channels detector patch
From: fryxar fryxar <fryxar () yahoo com ar>
Date: Tue, 5 Dec 2006 14:34:04 +0000 (GMT)

Usually, in every medium/high size company Network,
there's a firewall conecting the corporative LAN/WAN
to the Internet with a set of rules that only allows
specific traffic, such as HTTP, HTTPS. FTP or POP3 /
SMTP. A malicious internal user, could take advantage
of these open ports, and use them to access other
services (sending through them, other protocols).

For example, he could set up a ssh server on the
Internet, listening port 443, and configure the
internal ssh client to access that port. Such an
arrangement, makes virtually imposible for any
administrator to detect the real nature of the
traffic. The same applies if there is a proxy working
to provide Internet access to the LAN. By using tools
like proxytunnel, it is possible to establish a
connection to server on the Internet, without being

This snort patch, based on "tcpstatflow" tool and
written to be compiled with snort- using
stream4 preprocessor, is designed with the purpose of
fighting these tecniques, by detecting traffic that is
not HTTP / HTTPS / FTP / SMTP, with a reasonable
margin of error. It's based on the fact that these
protocols present a huge asymmetry in the amount of
data transmitted in one way and the oposite (within a
single TCP connection).

As an example, you could consider HTTP requests, where
you have the browser sending a small packet with a GET
command (and some extra overhead) and as a response,
receives a web page, an image, or a download. The same
asymmetry takes place in reverse, with SMTP. Your mail
client sends your composition, and a small ACK is sent
back from the server. Asymmetry. Keep that in mind.

To apply this patch, you must:
- Download snort source (snort-
- Download snort patch
- Apply the patch: patch -p0
- Compile snort & Install
- To configure, you must set the following two values
in the config file:

#   detect_covered_channels [number] - Number of bytes
to use as threshold to 
#                  detect covered channels, 0 to
disable this check
#   covered_channels_ports [list] - use the space
separated list of ports in [list], 
#                  "all" will turn on detection for
all ports, "default" will turn
#                  on reassembly for ports 21, 25, 80
and 443

So, if the number of bytes on a ESTABLISHED TCP
connection, is greater than "detect_covered_channels"
threshold for both flows (from client to server, and
from server to client), and it has a destination port
in "covered_channels_ports" list, a standard snort
alarm is generated with GID 111 and SID 26.

Download from:

Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar

  By Date           By Thread  

Current thread:
  • SNORT Covered channels detector patch fryxar fryxar (Dec 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]