[Dshield] Communication when emails are being watched
lists at webcrunchers.com
Wed Dec 24 19:37:08 GMT 2003
On Dec 24, 2003, at 7:13 AM, DAN MORRILL wrote:
> You do have support for embedding messages in PING packets. That has
> been a viable and valid covert channel for years at this point. They
> even talked about it at a SANS conference that I went to and showed
> images embedded in an ICMP packet that were captured at a honey pot.
> So not being paranoid at all, especially since the channel exists, and
> has been used in the past.
> Since the packet though will be larger, you could probably tack on a
> rule that says If ICMP has "Data Payload" > 25 then capture >>
How hard would it be to write a snort rule for this?
More information about the list