[Snort-users] Snort Detect Binary Transfer
mkettler at ...4108...
Tue Jul 13 11:04:01 EDT 2004
At 01:32 PM 7/13/2004, Real Cucumber wrote:
>Does anyone know of a rule to detect if any binary
>transfer is occuring?
>Specifically this would be used for SSH/SFTP/SCP.
And how exactly would it be possible for someone watching the wire to know
such a thing was occurring over SSH?
You do realize that SSH/SFTP/SCP is an encrypted protocol, and as such it's
specificaly designed to make it difficult to know anything about the data
being transfered.. That's what encryption is all about.
Given that SSH is encrypted, text payload vs binary payload look the same.
Or are you just trying to detect the use of SSH? If you just want to detect
SSH in the first place, don't look for binary.. look for the text strings
that are passed as the client and server greet each other with version
strings. This happens before encryption is started, so you can look for it
One of the bleeding-edge snort rules specificaly looks for SSH over
#Submitted by Joel Esler
alert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard SSH
Port Usage"; flags:AP+;content: "SSH-"; depth:8; sid:2000354; rev:1;)
It looks a little broad to me and might have some FPs, but it's a good
More information about the Snort-users