[Snort-users] Snort Detect Binary Transfer

Bamm Visscher bamm.visscher at ...11827...
Tue Jul 13 11:45:01 EDT 2004

Not a rule per say, but it's possible to make an educated guess on
whether a binary xfer or possible tunneling via ssh is happening using
session/connection/flow/whatever you want to call it data.

I short, look at the entire session. Regular ssh sessions cause many
'small' packets, where as scp would generally cause a large, one sided
stream. Tunneling would depend on the proto being tunneled, but
generally, more data would be seen on one side of the stream, with the
other side sending more data than say a scp.


On Tue, 13 Jul 2004 10:32:32 -0700 (PDT), Real Cucumber
<monkcucumber at ...131...> wrote:
> Does anyone know of a rule to detect if any binary
> transfer is occuring?
> Specifically this would be used for SSH/SFTP/SCP.
> Just need a simple alert type of rule.
> Thanks.
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


More information about the Snort-users mailing list