Snort mailing list archives
Re: Snort Detect Binary Transfer
From: "Omar McKenzie" <omckenzi () nyc rr com>
Date: Sat, 17 Jul 2004 22:18:12 -0400
You could use swatch or SEC to watch the logfiles on the SSH server and alert/email you when the SFTP or SCP subsystem is activated. ----- Original Message ----- From: "Real Cucumber" <monkcucumber () yahoo com> To: <snort-users () lists sourceforge net> Sent: Wednesday, July 14, 2004 1:06 PM Subject: Re: [Snort-users] Snort Detect Binary Transfer
Good point. Since the only thing running through this firewall is SSH, but the main purpose of the SSH is to allow access to a legacy text based application with no file transfers allowed, I want to detect if anyone uses SFTP or SCP to download files, so I assume I could detect this judging by the transfer rate. So how about a way to detect if large amounts of traffic or a trafic rate is occuring? For example, if the connection speed grows past 5KB/sec, alert. Is that possible? --- "Keith W. McCammon" <mccammon () gmail com> wrote:Does anyone know of a rule to detect if any binary transfer is occuring?If you're looking for a specific binary, you may be able to do that. But to detect a binary transfer (independent of transport protocol), it would hard to distinguish, for the obvious reasons. Snort sees the protocol headers at various levels, as well as the data. If there's a preprocessor involved, then it can do some more specific checks against those protocols. Unless you can manage a match using one of those methods, it's probably a guessing game at best.Specifically this would be used for SSH/SFTP/SCP.You're not going to have much luck trying to match against encrypted protocols, unless you've cooked up a new way to pass Snort the session keys. Try using Tripwire, or some other host-based scheme if you need to detect these types of system changes reliably.-------------------------------------------------------This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Detect Binary Transfer Real Cucumber (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 14)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 14)
- Re: Snort Detect Binary Transfer Omar McKenzie (Jul 17)
- Re: Snort Detect Binary Transfer Real Cucumber (Jul 14)
- Re: Snort Detect Binary Transfer Matt Kettler (Jul 13)
- Re: Snort Detect Binary Transfer Bamm Visscher (Jul 13)
- Re: Snort Detect Binary Transfer Keith W. McCammon (Jul 13)