[Snort-sigs] Common encrytpion Identification?
mkettler at ...189...
Wed Oct 8 13:13:03 EDT 2003
At 09:08 AM 10/8/2003, Tony Hernandez wrote:
>Has anyone got any rules for detecting encryption types?
Can you define what you mean by "types" here?
Are you trying to detect common protocols which use encryption, such as
SSL, or are you trying to figure out what kind of encryption was used (ie:
3des vs blowfish vs AES). The latter should be impossible from looking at
the encrypted data itself, but might be possible for you to look in the
protocol headers and know from those.. however, you'd need to know what the
protocol format is.
AIM supports a built-in smime based encryption format. Some tools also
support using PGP and just send text-format PGP encrypted messages.
Outside of things like the above it's very unusual for them to use any
standard format. A lot of IM "encryption-add-on" type systems use
home-brewed protocols coupled with some popular encryption algorithm like
AES or blowfish. Some of them go as far as using a homebrewed encryption
algorithm as well.
> I took a look at the packets and they all begin with ".....=..._....E."
> anyone have any ideas?
Are those really .'s in there, or is that just an ASCII representation of
an unprintable character?
If they're using encryption, the packets are almost certainly binary, and
you'll need to look at hex dumps and stop looking at the ASCII.
More information about the Snort-sigs