[Snort-users] Snort Detect Binary Transfer

Bamm Visscher bamm.visscher at ...11827...
Wed Jul 14 10:58:07 EDT 2004


Do data analysis based on session data.  For example, here I did three
different types of ssh connections to my test box (sorry about the
readability, but I just exported it from a query within sguil):

Sensor||SSN ID||Start Time||End Time||Source IP||Source Port ||Dest
IP||Dest Port||Source Packets||Source Bytes||Dest Packets ||Dest Bytes

reset||4680432811155636472||2004-07-13 19:49:44||2004-07-13
19:51:37||192.168.8.102||32798||10.1.1.2||22||363||9648||216||20223

reset||4680434039516124695||2004-07-13 19:54:30||2004-07-13
19:54:44||192.168.8.102||32799||10.1.1.2||22||1187||4288||2187||24279

reset||4680435834812621322||2004-07-13 20:01:28||2004-07-13
20:01:46||192.168.8.102||32800||10.1.1.2||22||1195||4336||2163||24327

reset||4680436036675874162||2004-07-13 20:02:15||2004-07-13
20:09:16||192.168.8.102||32801||10.1.1.2||22||238||10336||219||61999

The scp is easy to find as it's the relatively short session (14 secs)
and both sides sent a lot of packet (src: 1187 dst: 2187).  Unless a
user is copy/pasting a lot of text into an interactive ssh cnx, you
won't see numbers like that is such a short period of time since once
the session is established, you basically get one encrypted packet for
each char typed (really fast typers might be able to get two chars in
a packet sometimes). So, if you assume that 100 packets were used for
setup/tear down, then that'd mean the user would still have to type
almost 1000 chars in 14 secs. I'd expect that if I pulled up raw
packets related to the connections, I'd find even more differences.

For the curious, the first session is an interactive shell where I
cd'd around and opened a few files in vi.  The third session is where
I tunneled sguil comms over ssh.

Oh, the data was collected using sancp
(http://www.metre.net/sancp.html) and then mined with sguil
(http://sguil.sf.net). It would be simple to set up a standard query
that you ran every hour/day/whatever to look for 'unwanted' cnxs like
those.

<shameless plug>
This is an example of what we call Network Security Monitoring (NSM)
versus IDS. The idea is to use more sources of information to do
analysis than just IDS alerts.  Check out these two chapters from
Richard Bejtlich's soon to be released book "The Tao of Network
Secuirity Monitoring" for more info:
http://www.awprofessional.com/content/images/0321246772/samplechapter/bejtlich_chs.pdf
</shameless plug>

Bammkkkk

On Wed, 14 Jul 2004 10:06:32 -0700 (PDT), Real Cucumber
<monkcucumber at ...131...> wrote:
> Good point. Since the only thing running through this
> firewall is SSH, but the main purpose of the SSH is to
> allow access to a legacy text based application with
> no file transfers allowed, I want to detect if anyone
> uses SFTP or SCP to download files, so I assume I
> could detect this judging by the transfer rate.
> 
> So how about a way to detect if large amounts of
> traffic or a trafic rate is occuring?
> 
> For example, if the connection speed grows past
> 5KB/sec, alert.
> 
> Is that possible?

-- 
http://sguil.sf.net




More information about the Snort-users mailing list