[TOOL] tcpstatflow - Covert Tunnel Detector

From: SecuriTeam (support_at_securiteam.com)
Date: 11/20/03

  • Next message: SecuriTeam: "[TOOL] WMIDump - Information Dumping via WMI" 
    To: list@securiteam.com
Date: 20 Nov 2003 20:08:30 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      tcpstatflow - Covert Tunnel Detector
    ------------------------------------------------------------------------

    DETAILS

    Usually, in every medium size company Network, there's a firewall
    connecting the corporative LAN/WAN to the Internet with a set of rules
    that only allows specific traffic, such as HTTP, HTTPS, FTP or POP3 /
    SMTP. A malicious internal user, could take advantage of these open ports,
    and use them to access other services (sending through them, other
    protocols).

    For example, he could set up a SSH server on the Internet, listening port
    443, and configure the Intranet SSH client to access that port. Such an
    arrangement makes virtually impossible for any administrator to detect the
    real nature of the traffic. The same applies if there is a proxy working
    to provide Internet access to the LAN. By using tools like proxy tunnel,
    it is possible to establish a connection to server on the Internet,
    without being detected.

    tcpstatflow is a tool design with the purpose of fighting these
    techniques, by detecting traffic that is not HTTP / HTTPS / FTP / SMTP /
    POP3, with a reasonable margin of error. It's based on the fact that these
    protocols presents a huge asymmetry in the amount of data transmitted in
    one way and the opposite (within a single TCP connection).

    As an example, you could consider HTTP requests, where you have the
    browser sending a small packet with a GET command (and same extra
    overhead) and as a response, receives a web page, an image, or a download.
    The same asymmetry takes place in reverse, with SMTP. Your mail client
    sends your composition, and a small ACK is sent back from the server.
    Asymmetry. Keep that in mind.

    tcpstatflow listens network traffic in promiscuous mode, and analyze
    incoming and outgoing packets of each TCP connection, generating alarms
    when certain (configurable) thresholds are surpassed. These thresholds
    refer to parameters such as: quantity of in and out packets per
    connection, quantity of in and out bytes per connection and connection
    elapsed.

    ADDITIONAL INFORMATION

    The tool is available from: <http://www.geocities.com/fryxar/>
    http://www.geocities.com/fryxar/.

    The information has been provided by <mailto:fryxar@datafull.com> fryxar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] WMIDump - Information Dumping via WMI"

    Relevant Pages