RE: Detecting trojans on random ports with encrypted traffic...

From: Clint Byrum (cbyrum@spamaps.org)
Date: 10/30/02 

From: Clint Byrum <cbyrum@spamaps.org>
To: Chris Petersen <chris@idsroi.com>
Date: 30 Oct 2002 10:28:32 -0800

On Wed, 2002-10-30 at 06:00, Chris Petersen wrote:
> A commercial solution you may also want to investigate is Stealthwatch
> by Lancope. From what I have read (haven't had hands on unfortunately)
> this technology is uniquely designed to detect those attacks where
> signatures don't or can't exist (e.g., reasons expressed below).
> Stealthwatch detects attacks via "flow-based analysis", that is they
> keep a table of who is talking to who and how. A newly installed
> trojan/backdoor should initiate a "flow" (unique SIP, DIP, SPort, DPort,
> Protocol) that has never been seen on the network before (e.g., outbound
> connection to attacker). This flow will be identified and compared to
> the baseline of "normal" flows captured/catalogued where it will be
> determined anomalous and an alarm will be generated.
>

Isn't this similar to what SPADE does in snort?

> May be worth investigating
> http://www.lancope.com/
>
>
>
> > -----Original Message-----
> > From: Clint Byrum [mailto:cbyrum@spamaps.org]
> > Sent: Thursday, October 24, 2002 2:22 PM
> > To: focus-ids@securityfocus.com
> > Subject: Re: Detecting trojans on random ports with encrypted
> > traffic...
> >
> >
> > On Thu, 2002-10-24 at 09:03, Frank Knobbe wrote:
> > > Intrusion Detection does not have to rely on signatures
> > alone. You can
> > > and should create your own rules that can spot abnormal traffic.
> > >
> > > Since it sounds like you are using Snort, you can write rules that
> > > detect connections from and to ports that you normally
> > don't use. The
> > > classic example is rules for a web server that alerts you
> > when the web
> > > server start to establish connection to the outside on its own (not
> > > counting any connections that are normal like virus scanner
> > updates).
> > > Or create rules that allow users to connect to various
> > allowed ports
> > > (i.e. ftp, http, ntp), but alerts you when there are odd outbound
> > > connections (such as some trojans would do).
> > >
> > > If you ad some 'behavioral' rules to Snort, or any IDS, you
> > can detect
> > > a great deal more than just with signatures.
> > >
> >
> > Well, as I stated in the original post, thats what I'm doing
> > right now. But I have run in to one situation(only one
> > detected anyways) where a machine at one site was given a
> > trojan, running on port 80. The behavioral rules weren't
> > quite as complete as they should have been, so this wasn't
> > detected because site to site traffic wasn't considered suspicious.
> >
> > Sometimes behavioral rules can be very hard to write. In most
> > cases a site has a few servers in the front parts of the
> > subnet, followed by some network printers, then the client
> > machines. I suppose aligning things via CIDR would make it
> > easier to write these types of rules.
> >
> > Otherwise, when you're talking about sites with hundreds of
> > users, and > 30 or 40 servers... the rules start to multiply
> > quickly. And at least with snort... things get less and less
> > "lightweight" when you're talking about thousands of rules.
> > Maybe its time to check out Prelude...
> >
> >
>

Quantcast