[Snort-users] Snort Detect Binary Transfer
Keith W. McCammon
mccammon at ...11827...
Tue Jul 13 10:57:27 EDT 2004
> Does anyone know of a rule to detect if any binary
> transfer is occuring?
If you're looking for a specific binary, you may be able to do that.
But to detect a binary transfer (independent of transport protocol),
it would hard to distinguish, for the obvious reasons. Snort sees the
protocol headers at various levels, as well as the data. If there's a
preprocessor involved, then it can do some more specific checks
against those protocols. Unless you can manage a match using one of
those methods, it's probably a guessing game at best.
> Specifically this would be used for SSH/SFTP/SCP.
You're not going to have much luck trying to match against encrypted
protocols, unless you've cooked up a new way to pass Snort the session
keys. Try using Tripwire, or some other host-based scheme if you need
to detect these types of system changes reliably.
More information about the Snort-users