IDS mailing list archives
Re: ssh and ids
From: Adam Powers <apowers () lancope com>
Date: Sat, 19 Jun 2004 00:29:09 -0400
There is really no one full-proof answer to this question (that I'm aware of). Encryption remains the bane of network-based intrusion detection technologies. At the risk of speaking on behalf of such flow-based vendors as Arbor, Mazu, Q1, and (yes, my personal favorite) Lancope, I think some of the new behavioral traffic analysis technologies go a long way toward solving some of the problems presented by encryption technologies. <light details> By observing the duration of a "flow" (read: a TCP socket or series of related sockets) and the manner in which packets are exchanged over a "long duration" flow, a behavior-based system can pinpoint those connections that seem to be "out of the norm". During the baselining period, a behavior driven system observes connections attributes such as "duration" and "relative connectedness" to gain an understanding of the nature of the flows being created by a given network node. The flow-based, behavior-driven system should have the ability to discern between a AES gotomypc.com connection over TCP 443 and an automatic refresh connection to www.weather.com. The determination that "covert communications" are underway is done not through string matching or protocol anomaly but rather through the analysis of the flow attributes themselves (duration, packets sent/rcvd, pkt size, etc). Bottoms line: the magic is in the algorithms used to examine header traffic. Header traffic is not encrypted. </light details> The #1 defining attribute of flow-analysis techniques is that they typically DO NOT require use of payload data to determine the presence of an attack. As previously mentioned, there is no fool-proof plan... Flow-based technologies can be tricked... It just requires a much different science than that used by snot, sidestep, or encrypted shell shoveling. - AP On 6/18/04 2:18 PM, "Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion () us army mil> wrote:
Lets suppose the attacker is mildly sophisticated, and after making the initial assault roots the box and installs a secure backdoor or two. Is there any IDS capable of isolating data it cannot read, except to monitor authorized port usage of a system or group of systems? Not to complicate the question, but when the attacker is using portal gates and all communications traffic is encrypted in normal channels how can an IDS participate? Monitoring normal traffic patterns seems a bit slow for detection. - Mark Runion --------------------------------------------------------------------------- ---------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- ssh and ids Runion Mark A FGA DOIM WEBMASTER(ctr) (Jun 18)
- Re: ssh and ids Adam Powers (Jun 21)
- Re: ssh and ids Martin Roesch (Jun 21)
- Re: ssh and ids Tony Carter (Jun 22)
- Re: ssh and ids Jason (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)