[Snort-users] Snort Detect Binary Transfer

Matt Kettler mkettler at ...4108...
Tue Jul 13 11:04:01 EDT 2004

At 01:32 PM 7/13/2004, Real Cucumber wrote:
>Does anyone know of a rule to detect if any binary
>transfer is occuring?
>Specifically this would be used for SSH/SFTP/SCP.

And how exactly would it be possible for someone watching the wire to know 
such a thing was occurring over SSH?

You do realize that SSH/SFTP/SCP is an encrypted protocol, and as such it's 
specificaly designed to make it difficult to know anything about the data 
being transfered.. That's what encryption is all about.

Given that SSH is encrypted, text payload vs binary payload look the same.

Or are you just trying to detect the use of SSH? If you just want to detect 
SSH in the first place, don't look for binary.. look for the text strings 
that are passed as the client and server greet each other with version 
strings. This happens before encryption is started, so you can look for it 
rather easily.

One of the bleeding-edge snort rules specificaly looks for SSH over 
non-standard ports:

#Submitted by Joel Esler
alert tcp any !22 -> any !22 (msg:"BLEEDING-EDGE Covert Non-Standard SSH 
Port Usage"; flags:AP+;content: "SSH-"; depth:8; sid:2000354; rev:1;)

It looks a little broad to me and might have some FPs, but it's a good 
starting point. 

More information about the Snort-users mailing list