When you don't have access to the signature, you always have access to the
behavior. You can use network behavior analysis to detect abnormal traffic
patterns, such as SSH traffic from unknown public IPs, or at unusual hours,
or unusual data transfer rates.
What IDS are you using?

-----Mensaje original-----
De: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] En
nombre de Ravi Chunduru
Enviado el: Viernes, 06 de Junio de 2008 07:22 p.m.
Para: Focus IDS
Asunto: Help in writing Network IDS/IPS signature to detect sftp
vulnerability

Hi,

Check this disclosure at

http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0101.html

the attack data is encrypted within the encrypted SSH. Without
having to decrypt the SSH, is there any clever way to detect this (using
some kind of anomaly on the packet size, type of characters etc.. )?

thanks
Ravi

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=in
tro_sfw
to learn more.
------------------------------------------------------------------------

__________ NOD32 3167 (20080609) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------

[ reply ]