Re: Detecting trojans on random ports with encrypted traffic...

From: Clint Byrum (cbyrum@spamaps.org)
Date: 10/24/02


From: Clint Byrum <cbyrum@spamaps.org>
To: focus-ids@securityfocus.com
Date: 24 Oct 2002 11:21:39 -0700

On Thu, 2002-10-24 at 09:03, Frank Knobbe wrote:
> Intrusion Detection does not have to rely on signatures alone. You can
> and should create your own rules that can spot abnormal traffic.
>
> Since it sounds like you are using Snort, you can write rules that
> detect connections from and to ports that you normally don't use. The
> classic example is rules for a web server that alerts you when the web
> server start to establish connection to the outside on its own (not
> counting any connections that are normal like virus scanner updates). Or
> create rules that allow users to connect to various allowed ports (i.e.
> ftp, http, ntp), but alerts you when there are odd outbound connections
> (such as some trojans would do).
>
> If you ad some 'behavioral' rules to Snort, or any IDS, you can detect a
> great deal more than just with signatures.
>

Well, as I stated in the original post, thats what I'm doing right now.
But I have run in to one situation(only one detected anyways) where a
machine at one site was given a trojan, running on port 80. The
behavioral rules weren't quite as complete as they should have been, so
this wasn't detected because site to site traffic wasn't considered
suspicious.

Sometimes behavioral rules can be very hard to write. In most cases a
site has a few servers in the front parts of the subnet, followed by
some network printers, then the client machines. I suppose aligning
things via CIDR would make it easier to write these types of rules.

Otherwise, when you're talking about sites with hundreds of users, and >
30 or 40 servers... the rules start to multiply quickly. And at least
with snort... things get less and less "lightweight" when you're talking
about thousands of rules. Maybe its time to check out Prelude...



Relevant Pages