Snort mailing list archives
Re: Question for Snort gurus re: TTL and intercepted communications
From: "Keith W. McCammon" <mccammon () gmail com>
Date: Thu, 1 Jul 2004 13:17:51 -0400
You can do this to some degree, but it's generally only accurate if you're on a static network or the like. Datagrams routed via public networks may take alternatate paths occassionally, or on a regular basis depending on your situation. And if you tried to use the baseline method (last time datagrams from Server_A arrived with TTL X and this time they arrived with TTL X-N, so alert) you'd probably have to be very patient and fairly lucky to catch someone in the act, as it would be almost impossible to verify an interception using this method alone. If this is a concern, there are typically a few ways to deal with it: 1) Build out a private network. This allows you to reduce the exposure to attack, and might also provide a less dynamic environment, which would be better suited to the type of detection methods that you describe. 2) Use IPSec, SSH, SSL or some other encryption-based technology to protect data in transit. In you're pretty aggressive with your implementation, you can regenerate session keys fast enough that it would take a pretty disgusting amount of computing power to gain access to the information in a worthwhile amount of time. 3) Some combination of the two. On Thu, 01 Jul 2004 16:33:17 +0000, jeffs () speakeasy net <jeffs () speakeasy net> wrote:
I'm wondering if there might be a method to determine of a data stream has been intercepted or sidetracked by looking at the TTL values or other values in a datastream. Of course TTL is relative and wouldn't in and of itself tell if a data stream has been intercepted, but I'm wondering if one could build a model whereby you could use a baseline refernce of TTL pulled off a tracerroute or something like that and then compare some values from a seperate, baseline value from a third party application between server and client, to compare said values against values analyzed by snort. Just an idea. Looking for suggestions. J. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question for Snort gurus re: TTL and intercepted communications jeffs (Jul 01)
- Re: Question for Snort gurus re: TTL and intercepted communications Keith W. McCammon (Jul 01)