Snort mailing list archives
RE: detecting tunnels with Snort
From: "Michael Scheidell" <scheidell () secnap net>
Date: Mon, 6 Mar 2006 17:31:10 -0500
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Radu Spineanu Sent: Sunday, March 05, 2006 10:12 AM To: snort-users () lists sourceforge net Subject: [Snort-users] detecting tunnels with Snort Hi Is it possible to detect different types of tunnels (gre, ipsec, http tunnels) that cross a network boundary by using snort ?
Yes, if you write a signature for it. No, there are no signatures currently for it. Maybe, as there are a lot of different tunnels, and you would need to not only write a signature for it, but take into account the 'normal' traffic on that port. Example: a tunnel on udp port 53 SHOULD NOT HAVE A PACKER LARGER THAN 254 BYTES, as the dns rfc's on the dns query that is associated with that port should mark 'large packet', if query answer is larger than 254 (so, you could 'protect' udp port 53 with a signature that: A) triggered if you got udp port 53 traffic on an UNKNOWN DNS SERVER, B) triggered if the packet length is > 254 bytes (note, tunnel writer could break packets up) Icmp: if 'unknown' icmp types are used, you could trigger on that. Or, if icmp 'return traffic' came from addresses that did not send it out. If icmp timestamp packet came in that didn't have a timestamp, etc. TCP, well if the encrypted traffic over port 80, I guess you would need an application engine, and assign 'normal' traffic to each open port and write signatures looking for abnormal traffic. (but, you could still encapsulate TUNNEL traffic inbetween 'valid looking' HTTP ports on port 80) ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- detecting tunnels with Snort Radu Spineanu (Mar 05)
- <Possible follow-ups>
- RE: detecting tunnels with Snort Michael Scheidell (Mar 06)
- Re: detecting tunnels with Snort Tom Le (Mar 06)
- RE: Re: detecting tunnels with Snort Michael Scheidell (Mar 07)
- Re: Re: detecting tunnels with Snort Tom Le (Mar 07)