On Fri, 25 May 2007 10:34:38 -0400
"Joff Thyer" <jsthyer@gmail.com> wrote:
It is reasonably trivial to encode data within packet headers, and
even encrypt said data as most are probably aware. There are past
examples where control information has been sent within ICMP and other
packets using header fields.
My question surrounds detection; given that IDS tends to be payload
focused, if a covert channel exists that has encrypted data in a
packet header, how do we go about detecting it?
My initial thought leans toward the fact that encrypted data blocks
are statistically flat over time. Given say 'snort', how can we use
this idea? I am not a snort expert by any means, so please no
flames!
One approach is to look for anomalous patterns in the traffic and
not so much in the packets themselves. I have had real-world success
in detecting a covert data channel in ICMP because the volume of
data was way out of the norm for the network.
I used Argus for this not Snort (I typically run more than one
network monitoring tool at a time on an IDS device -- it gives you
different ways to look at what is going on).
Skip
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Network Security Services email: skip@taygeta.net
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/
Monterey, CA. 93940
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
