[Snort-users] Snort Detect Binary Transfer

Real Cucumber monkcucumber at ...131...
Wed Jul 14 10:10:35 EDT 2004


Good point. Since the only thing running through this
firewall is SSH, but the main purpose of the SSH is to
allow access to a legacy text based application with
no file transfers allowed, I want to detect if anyone
uses SFTP or SCP to download files, so I assume I
could detect this judging by the transfer rate.

So how about a way to detect if large amounts of
traffic or a trafic rate is occuring?

For example, if the connection speed grows past
5KB/sec, alert.

Is that possible?


--- "Keith W. McCammon" <mccammon at ...11827...> wrote:
> > Does anyone know of a rule to detect if any binary
> > transfer is occuring?
> 
> If you're looking for a specific binary, you may be
> able to do that. 
> But to detect a binary transfer (independent of
> transport protocol),
> it would hard to distinguish, for the obvious
> reasons.  Snort sees the
> protocol headers at various levels, as well as the
> data.  If there's a
> preprocessor involved, then it can do some more
> specific checks
> against those protocols.  Unless you can manage a
> match using one of
> those methods, it's probably a guessing game at
> best.
>  
> > Specifically this would be used for SSH/SFTP/SCP.
> 
> You're not going to have much luck trying to match
> against encrypted
> protocols, unless you've cooked up a new way to pass
> Snort the session
> keys.  Try using Tripwire, or some other host-based
> scheme if you need
> to detect these types of system changes reliably.
> 
> 
>
-------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings &
> Training.
> Attend Black Hat Briefings & Training, Las Vegas
> July 24-29 - 
> digital self defense, top technical experts, no
> vendor pitches, 
> unmatched networking opportunities. Visit
> www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 




More information about the Snort-users mailing list