Craig Chamberlain wrote:
> Good point; what I'm suggesting is that while it's relatively easy to
> hide or obfuscate the data itself, it is hard to conceal the fact
> that data - or packets - are being transmitted, possibly using a
> recognizable application protocol, to an unexpected destination,
> which can be a useful last-ditch detection mechanism when the other
> methods fail - or can be a useful corroboration when correlated with
> the other detect data.
There is bound to be some sort of legitimate production traffic. For
example, if there are https connections coming in to a specific machine
and specific port. You can detect if that machine starts sending out
data on its own or starts accepting connections on another port.
However, if the same port starts serving credit card numbers
(obfuscated) or even hides the credit card numbers in tcp sequence
numbers (or does something even more subtle as serving them by changing
the case of "A" letters in http connections from certain addresses) the
movement of data should be extremely hard to detect.
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
Craig Chamberlain wrote:
> Good point; what I'm suggesting is that while it's relatively easy to
> hide or obfuscate the data itself, it is hard to conceal the fact
> that data - or packets - are being transmitted, possibly using a
> recognizable application protocol, to an unexpected destination,
> which can be a useful last-ditch detection mechanism when the other
> methods fail - or can be a useful corroboration when correlated with
> the other detect data.
There is bound to be some sort of legitimate production traffic. For
example, if there are https connections coming in to a specific machine
and specific port. You can detect if that machine starts sending out
data on its own or starts accepting connections on another port.
However, if the same port starts serving credit card numbers
(obfuscated) or even hides the credit card numbers in tcp sequence
numbers (or does something even more subtle as serving them by changing
the case of "A" letters in http connections from certain addresses) the
movement of data should be extremely hard to detect.
Siim
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
[ reply ]