[Snort-users] Snort Detect Binary Transfer

Omar McKenzie omckenzi at ...4479...
Sat Jul 17 19:21:02 EDT 2004


You could use swatch or SEC to watch the logfiles on the SSH server and
alert/email you when the SFTP or SCP subsystem is activated.


----- Original Message ----- 
From: "Real Cucumber" <monkcucumber at ...131...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, July 14, 2004 1:06 PM
Subject: Re: [Snort-users] Snort Detect Binary Transfer


> Good point. Since the only thing running through this
> firewall is SSH, but the main purpose of the SSH is to
> allow access to a legacy text based application with
> no file transfers allowed, I want to detect if anyone
> uses SFTP or SCP to download files, so I assume I
> could detect this judging by the transfer rate.
>
> So how about a way to detect if large amounts of
> traffic or a trafic rate is occuring?
>
> For example, if the connection speed grows past
> 5KB/sec, alert.
>
> Is that possible?
>
>
> --- "Keith W. McCammon" <mccammon at ...11827...> wrote:
> > > Does anyone know of a rule to detect if any binary
> > > transfer is occuring?
> >
> > If you're looking for a specific binary, you may be
> > able to do that.
> > But to detect a binary transfer (independent of
> > transport protocol),
> > it would hard to distinguish, for the obvious
> > reasons.  Snort sees the
> > protocol headers at various levels, as well as the
> > data.  If there's a
> > preprocessor involved, then it can do some more
> > specific checks
> > against those protocols.  Unless you can manage a
> > match using one of
> > those methods, it's probably a guessing game at
> > best.
> >
> > > Specifically this would be used for SSH/SFTP/SCP.
> >
> > You're not going to have much luck trying to match
> > against encrypted
> > protocols, unless you've cooked up a new way to pass
> > Snort the session
> > keys.  Try using Tripwire, or some other host-based
> > scheme if you need
> > to detect these types of system changes reliably.
> >
> >
> >
> -------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings &
> > Training.
> > Attend Black Hat Briefings & Training, Las Vegas
> > July 24-29 -
> > digital self defense, top technical experts, no
> > vendor pitches,
> > unmatched networking opportunities. Visit
> > www.blackhat.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list