[Snort-users] Snort Detect Binary Transfer
monkcucumber at ...131...
Wed Jul 14 10:10:35 EDT 2004
Good point. Since the only thing running through this
firewall is SSH, but the main purpose of the SSH is to
allow access to a legacy text based application with
no file transfers allowed, I want to detect if anyone
uses SFTP or SCP to download files, so I assume I
could detect this judging by the transfer rate.
So how about a way to detect if large amounts of
traffic or a trafic rate is occuring?
For example, if the connection speed grows past
Is that possible?
--- "Keith W. McCammon" <mccammon at ...11827...> wrote:
> > Does anyone know of a rule to detect if any binary
> > transfer is occuring?
> If you're looking for a specific binary, you may be
> able to do that.
> But to detect a binary transfer (independent of
> transport protocol),
> it would hard to distinguish, for the obvious
> reasons. Snort sees the
> protocol headers at various levels, as well as the
> data. If there's a
> preprocessor involved, then it can do some more
> specific checks
> against those protocols. Unless you can manage a
> match using one of
> those methods, it's probably a guessing game at
> > Specifically this would be used for SSH/SFTP/SCP.
> You're not going to have much luck trying to match
> against encrypted
> protocols, unless you've cooked up a new way to pass
> Snort the session
> keys. Try using Tripwire, or some other host-based
> scheme if you need
> to detect these types of system changes reliably.
> This SF.Net email sponsored by Black Hat Briefings &
> Attend Black Hat Briefings & Training, Las Vegas
> July 24-29 -
> digital self defense, top technical experts, no
> vendor pitches,
> unmatched networking opportunities. Visit
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> Snort-users list archive:
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
More information about the Snort-users