[Dshield] Communication when emails are being watched
Johannes B. Ullrich
jullrich at sans.org
Wed Dec 24 20:04:18 GMT 2003
One of the classic covert channel tools is 'loki'. Its quite old
(1995/96?) and there should be an old phrack article around with
Signature based IDS's (like snort) usually don't do too well in
detecting new covert channels. The best deffence against a covert
channel is to know what your network traffic is supposed to look
like, so you will recognize an excess of ICMP (or other traffic).
A more recent example of a trojan with covert channel is
Calypso/sinit. See the diary from Dec. 16th for details:
it includes a pdf filter for this particular trojan.
> > Since the packet though will be larger, you could probably tack on a
> > rule that says If ICMP has "Data Payload" > 25 then capture >>
> > largeicmp.log
> How hard would it be to write a snort rule for this?
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031224/f579b1cd/attachment.bin
More information about the list