RE: Detecting trojans on random ports with encrypted traffic...

From: Chris Petersen (chris@idsroi.com)
Date: 10/30/02 

Date: Wed, 30 Oct 2002 09:00:10 -0500
From: Chris Petersen <chris@idsroi.com>
To: 'Clint Byrum' <cbyrum@spamaps.org>, focus-ids@securityfocus.com

A commercial solution you may also want to investigate is Stealthwatch
by Lancope. From what I have read (haven't had hands on unfortunately)
this technology is uniquely designed to detect those attacks where
signatures don't or can't exist (e.g., reasons expressed below).
Stealthwatch detects attacks via "flow-based analysis", that is they
keep a table of who is talking to who and how. A newly installed
trojan/backdoor should initiate a "flow" (unique SIP, DIP, SPort, DPort,
Protocol) that has never been seen on the network before (e.g., outbound
connection to attacker). This flow will be identified and compared to
the baseline of "normal" flows captured/catalogued where it will be
determined anomalous and an alarm will be generated.

May be worth investigating
http://www.lancope.com/

> -----Original Message-----
> From: Clint Byrum [mailto:cbyrum@spamaps.org]
> Sent: Thursday, October 24, 2002 2:22 PM
> To: focus-ids@securityfocus.com
> Subject: Re: Detecting trojans on random ports with encrypted
> traffic...
>
>
> On Thu, 2002-10-24 at 09:03, Frank Knobbe wrote:
> > Intrusion Detection does not have to rely on signatures
> alone. You can
> > and should create your own rules that can spot abnormal traffic.
> >
> > Since it sounds like you are using Snort, you can write rules that
> > detect connections from and to ports that you normally
> don't use. The
> > classic example is rules for a web server that alerts you
> when the web
> > server start to establish connection to the outside on its own (not
> > counting any connections that are normal like virus scanner
> updates).
> > Or create rules that allow users to connect to various
> allowed ports
> > (i.e. ftp, http, ntp), but alerts you when there are odd outbound
> > connections (such as some trojans would do).
> >
> > If you ad some 'behavioral' rules to Snort, or any IDS, you
> can detect
> > a great deal more than just with signatures.
> >
>
> Well, as I stated in the original post, thats what I'm doing
> right now. But I have run in to one situation(only one
> detected anyways) where a machine at one site was given a
> trojan, running on port 80. The behavioral rules weren't
> quite as complete as they should have been, so this wasn't
> detected because site to site traffic wasn't considered suspicious.
>
> Sometimes behavioral rules can be very hard to write. In most
> cases a site has a few servers in the front parts of the
> subnet, followed by some network printers, then the client
> machines. I suppose aligning things via CIDR would make it
> easier to write these types of rules.
>
> Otherwise, when you're talking about sites with hundreds of
> users, and > 30 or 40 servers... the rules start to multiply
> quickly. And at least with snort... things get less and less
> "lightweight" when you're talking about thousands of rules.
> Maybe its time to check out Prelude...
>
>

Quantcast