Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: HTTP based trojans

RE: HTTP based trojans

From: Rob Shein <shoten_at_starpower.net>
Date: Thu, 7 Nov 2002 11:59:28 -0500

Yes, except that in Setiri, for example, the communication adheres to
HTTP standards. It's not just a trojan using port 80 to slip through
firewalls and IDS systems unnoticed; it actually uses Internet Explorer
as a component of itself, so that even local app-aware firewalling like
ZoneAlarm, Norton Internet Security or BlackIce won't see anything
unusual.

> -----Original Message-----
> From: s.wun [mailto:s.wun_at_thales-is.com.hk]
> Sent: Wednesday, November 06, 2002 9:13 PM
> To: AQBARROS_at_BKB.com.br; focus-ids_at_securityfocus.com
> Subject: Re: HTTP based trojans
>
>
> I think this so-called flow-based IDS is about analyse each
> end-to-end connection based on what protocol the connection
> is using. For example, if protocol is 6, it should follow
> standard TCP communication standard, anything other than that
> will be regarded as Potential hack. That's why in http
> connection, it detected communication is not belong to http,
> so it should be able to raise alarm.
>
> One can create this kind of analyse with simple programming,
> not neccessary to purchase StealthWatch if we understand the
> principle of it.
>
> sam
Received on Nov 07 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]