[TOOL] tcpstatflow - Covert Tunnel Detector
From: SecuriTeam (support_at_securiteam.com)
Date: 11/20/03
- Previous message: SecuriTeam: "[EXPL] Opera Skinned and Opera Directory Traversal (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 20 Nov 2003 20:08:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
tcpstatflow - Covert Tunnel Detector
------------------------------------------------------------------------
DETAILS
Usually, in every medium size company Network, there's a firewall
connecting the corporative LAN/WAN to the Internet with a set of rules
that only allows specific traffic, such as HTTP, HTTPS, FTP or POP3 /
SMTP. A malicious internal user, could take advantage of these open ports,
and use them to access other services (sending through them, other
protocols).
For example, he could set up a SSH server on the Internet, listening port
443, and configure the Intranet SSH client to access that port. Such an
arrangement makes virtually impossible for any administrator to detect the
real nature of the traffic. The same applies if there is a proxy working
to provide Internet access to the LAN. By using tools like proxy tunnel,
it is possible to establish a connection to server on the Internet,
without being detected.
tcpstatflow is a tool design with the purpose of fighting these
techniques, by detecting traffic that is not HTTP / HTTPS / FTP / SMTP /
POP3, with a reasonable margin of error. It's based on the fact that these
protocols presents a huge asymmetry in the amount of data transmitted in
one way and the opposite (within a single TCP connection).
As an example, you could consider HTTP requests, where you have the
browser sending a small packet with a GET command (and same extra
overhead) and as a response, receives a web page, an image, or a download.
The same asymmetry takes place in reverse, with SMTP. Your mail client
sends your composition, and a small ACK is sent back from the server.
Asymmetry. Keep that in mind.
tcpstatflow listens network traffic in promiscuous mode, and analyze
incoming and outgoing packets of each TCP connection, generating alarms
when certain (configurable) thresholds are surpassed. These thresholds
refer to parameters such as: quantity of in and out packets per
connection, quantity of in and out bytes per connection and connection
elapsed.
ADDITIONAL INFORMATION
The tool is available from: <http://www.geocities.com/fryxar/>
http://www.geocities.com/fryxar/.
The information has been provided by <mailto:fryxar@datafull.com> fryxar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Opera Skinned and Opera Directory Traversal (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
