[Snort-users] Snort Detect Binary Transfer

Keith W. McCammon mccammon at ...11827...
Tue Jul 13 10:57:27 EDT 2004

> Does anyone know of a rule to detect if any binary
> transfer is occuring?

If you're looking for a specific binary, you may be able to do that. 
But to detect a binary transfer (independent of transport protocol),
it would hard to distinguish, for the obvious reasons.  Snort sees the
protocol headers at various levels, as well as the data.  If there's a
preprocessor involved, then it can do some more specific checks
against those protocols.  Unless you can manage a match using one of
those methods, it's probably a guessing game at best.
> Specifically this would be used for SSH/SFTP/SCP.

You're not going to have much luck trying to match against encrypted
protocols, unless you've cooked up a new way to pass Snort the session
keys.  Try using Tripwire, or some other host-based scheme if you need
to detect these types of system changes reliably.

More information about the Snort-users mailing list