Detecting covert data channels?
- From: "Joff Thyer" <jsthyer@xxxxxxxxx>
- Date: Fri, 25 May 2007 10:34:38 -0400
It is reasonably trivial to encode data within packet headers, and
even encrypt said data as most are probably aware. There are past
examples where control information has been sent within ICMP and other
packets using header fields.
My question surrounds detection; given that IDS tends to be payload
focused, if a covert channel exists that has encrypted data in a
packet header, how do we go about detecting it?
My initial thought leans toward the fact that encrypted data blocks
are statistically flat over time. Given say 'snort', how can we use
this idea? I am not a snort expert by any means, so please no
flames!
I would be happy to summarize opinions.
-Joff Thyer
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
- Follow-Ups:
- Re: Detecting covert data channels?
- From: Richard Bejtlich
- Re: Detecting covert data channels?
- From: Ron Gula
- Re: Detecting covert data channels?
- From: Skip Carter
- Re: Detecting covert data channels?
- From: Eric Hacker
- Re: Detecting covert data channels?
- From: Kowsik
- RE: Detecting covert data channels?
- From: Omar Herrera
- Re: Detecting covert data channels?
- From: vijay upadhyaya
- Re: Detecting covert data channels?
- Prev by Date: Re: automatic signature generation
- Next by Date: RE: automatic signature generation
- Previous by thread: [Call for Participation] DIMVA 2007
- Next by thread: Re: Detecting covert data channels?
- Index(es):
Relevant Pages
|
