[Dshield] Communication when emails are being watched

Johannes B. Ullrich jullrich at sans.org
Wed Dec 24 20:04:18 GMT 2003

One of the classic covert channel tools is 'loki'. Its quite old
(1995/96?) and there should be an old phrack article around with 

Signature based IDS's (like snort) usually don't do too well in
detecting new covert channels. The best deffence against a covert
channel is to know what your network traffic is supposed to look
like, so you will recognize an excess of ICMP (or other traffic).

A more recent example of a trojan with covert channel is 
Calypso/sinit. See the diary from Dec. 16th for details:

it includes a pdf filter for this particular trojan.

> > Since the packet though will be larger, you could probably tack on a 
> > rule that says If ICMP has "Data Payload" > 25 then capture >> 
> > largeicmp.log
> How hard would it be to write a snort rule for this?

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031224/f579b1cd/attachment.bin

More information about the list mailing list