Snort mailing list archives

Re: Snort Detect Binary Transfer

From: Real Cucumber <monkcucumber () yahoo com>
Date: Wed, 14 Jul 2004 10:06:32 -0700 (PDT)

Good point. Since the only thing running through this
firewall is SSH, but the main purpose of the SSH is to
allow access to a legacy text based application with
no file transfers allowed, I want to detect if anyone
uses SFTP or SCP to download files, so I assume I
could detect this judging by the transfer rate.

So how about a way to detect if large amounts of
traffic or a trafic rate is occuring?

For example, if the connection speed grows past
5KB/sec, alert.

Is that possible?


--- "Keith W. McCammon" <mccammon () gmail com> wrote:

Does anyone know of a rule to detect if any binary
transfer is occuring?


If you're looking for a specific binary, you may be
able to do that. 
But to detect a binary transfer (independent of
transport protocol),
it would hard to distinguish, for the obvious
reasons.  Snort sees the
protocol headers at various levels, as well as the
data.  If there's a
preprocessor involved, then it can do some more
specific checks
against those protocols.  Unless you can manage a
match using one of
those methods, it's probably a guessing game at
best.

Specifically this would be used for SSH/SFTP/SCP.


You're not going to have much luck trying to match
against encrypted
protocols, unless you've cooked up a new way to pass
Snort the session
keys.  Try using Tripwire, or some other host-based
scheme if you need
to detect these types of system changes reliably.

-------------------------------------------------------

This SF.Net email sponsored by Black Hat Briefings &
Training.
Attend Black Hat Briefings & Training, Las Vegas
July 24-29 - 
digital self defense, top technical experts, no
vendor pitches, 
unmatched networking opportunities. Visit
www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users




                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Detect Binary Transfer Real Cucumber (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)
  - Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
    - Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 14)
    - Re: Snort Detect Binary Transfer Bamm Visscher (Jul 14)
    - Re: Snort Detect Binary Transfer Omar McKenzie (Jul 17)
- Re: Snort Detect Binary Transfer Matt Kettler (Jul 13)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 13)