IDS mailing list archives
RE: Detecting trojans on random ports with encrypted traffic...
From: Clint Byrum <cbyrum () spamaps org>
Date: 30 Oct 2002 10:28:32 -0800
On Wed, 2002-10-30 at 06:00, Chris Petersen wrote:
A commercial solution you may also want to investigate is Stealthwatch by Lancope. From what I have read (haven't had hands on unfortunately) this technology is uniquely designed to detect those attacks where signatures don't or can't exist (e.g., reasons expressed below). Stealthwatch detects attacks via "flow-based analysis", that is they keep a table of who is talking to who and how. A newly installed trojan/backdoor should initiate a "flow" (unique SIP, DIP, SPort, DPort, Protocol) that has never been seen on the network before (e.g., outbound connection to attacker). This flow will be identified and compared to the baseline of "normal" flows captured/catalogued where it will be determined anomalous and an alarm will be generated.
Isn't this similar to what SPADE does in snort?
May be worth investigating http://www.lancope.com/-----Original Message----- From: Clint Byrum [mailto:cbyrum () spamaps org] Sent: Thursday, October 24, 2002 2:22 PM To: focus-ids () securityfocus com Subject: Re: Detecting trojans on random ports with encrypted traffic... On Thu, 2002-10-24 at 09:03, Frank Knobbe wrote:Intrusion Detection does not have to rely on signaturesalone. You canand should create your own rules that can spot abnormal traffic. Since it sounds like you are using Snort, you can write rules that detect connections from and to ports that you normallydon't use. Theclassic example is rules for a web server that alerts youwhen the webserver start to establish connection to the outside on its own (not counting any connections that are normal like virus scannerupdates).Or create rules that allow users to connect to variousallowed ports(i.e. ftp, http, ntp), but alerts you when there are odd outbound connections (such as some trojans would do). If you ad some 'behavioral' rules to Snort, or any IDS, youcan detecta great deal more than just with signatures.Well, as I stated in the original post, thats what I'm doing right now. But I have run in to one situation(only one detected anyways) where a machine at one site was given a trojan, running on port 80. The behavioral rules weren't quite as complete as they should have been, so this wasn't detected because site to site traffic wasn't considered suspicious. Sometimes behavioral rules can be very hard to write. In most cases a site has a few servers in the front parts of the subnet, followed by some network printers, then the client machines. I suppose aligning things via CIDR would make it easier to write these types of rules. Otherwise, when you're talking about sites with hundreds of users, and > 30 or 40 servers... the rules start to multiply quickly. And at least with snort... things get less and less "lightweight" when you're talking about thousands of rules. Maybe its time to check out Prelude...
Current thread:
- RE: Detecting trojans on random ports with encrypted traffic... Carey, Steve T ISD (Oct 23)
- <Possible follow-ups>
- Detecting trojans on random ports with encrypted traffic... Clint Byrum (Oct 23)
- Re: Detecting trojans on random ports with encrypted traffic... Frank Knobbe (Oct 24)
- Re: Detecting trojans on random ports with encrypted traffic... Clint Byrum (Oct 24)
- RE: Detecting trojans on random ports with encrypted traffic... Chris Petersen (Oct 30)
- RE: Detecting trojans on random ports with encrypted traffic... Clint Byrum (Oct 30)
- Re: Detecting trojans on random ports with encrypted traffic... Frank Knobbe (Oct 24)