The key question here is 'why?' If your goal is detection and forensics then
collecting batches of data for statistical analysis is likely to be both
possible and the best approach. You'll want to analyze the data in multiple
dimensions to look for anomalies across volume, targets, protocol structure,
sequencing, fragmentation, metadata, etc. (Remember you covert channel may not
be in the data at all it may be as subtle as the timing of when the packets
arrive or the order)
For this approach I'd tend to use tcpdump and various custom scripts doing the
batch analysis.
If your goal is to prevent data leakage or generally prevent unmonitored
communications then I think that detection is mostly moot. Instead you should
focus on prevention. In this case, analyze what you can and what you care about
and normalize the rest. All covert channels I can think of rely on using parts
of the data streams that are not used for the core protocol goals. Therefore
normalizing traffic rates, header fields, sequencing, fragmentation, etc will
simply remove the opportunity for almost all covert channels.
You will, of course, still need the forensic approach above if you want to
increase your confidence but as you find each possible channel you'll probably
only need to modify your normalization to remove it.
-J
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
