[Dshield] Communication when emails are being watched

JD lists at webcrunchers.com
Wed Dec 24 19:37:08 GMT 2003


On Dec 24, 2003, at 7:13 AM, DAN MORRILL wrote:

> Actually,
>
> You do have support for embedding messages in PING packets. That has 
> been a viable and valid covert channel for years at this point. They 
> even talked about it at a SANS conference that I went to and showed 
> images embedded in an ICMP packet that were captured at a honey pot. 
> So not being paranoid at all, especially since the channel exists, and 
> has been used in the past.
>
> Since the packet though will be larger, you could probably tack on a 
> rule that says If ICMP has "Data Payload" > 25 then capture >> 
> largeicmp.log

How hard would it be to write a snort rule for this?

John




More information about the list mailing list