On Fri, 25 May 2007 10:34:38 -0400 "Joff Thyer" <[EMAIL PROTECTED]> wrote:
> It is reasonably trivial to encode data within packet headers, and > even encrypt said data as most are probably aware. There are past > examples where control information has been sent within ICMP and other > packets using header fields. > > My question surrounds detection; given that IDS tends to be payload > focused, if a covert channel exists that has encrypted data in a > packet header, how do we go about detecting it? > > My initial thought leans toward the fact that encrypted data blocks > are statistically flat over time. Given say 'snort', how can we use > this idea? I am not a snort expert by any means, so please no > flames! One approach is to look for anomalous patterns in the traffic and not so much in the packets themselves. I have had real-world success in detecting a covert data channel in ICMP because the volume of data was way out of the norm for the network. I used Argus for this not Snort (I typically run more than one network monitoring tool at a time on an IDS device -- it gives you different ways to look at what is going on). Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Network Security Services email: [EMAIL PROTECTED] 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/ Monterey, CA. 93940 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
