Usually, in every medium/high size company Network, there's a firewall conecting the corporative LAN/WAN to the Internet with a set of rules that only allows specific traffic, such as HTTP, HTTPS. FTP or POP3 / SMTP. A malicious internal user, could take advantage of these open ports, and use them to access other services (sending through them, other protocols). For example, he could set up a ssh server on the Internet, listening port 443, and configure the internal ssh client to access that port. Such an arrangement, makes virtually imposible for any administrator to detect the real nature of the traffic. The same applies if there is a proxy working to provide Internet access to the LAN. By using tools like proxytunnel, it is possible to establish a connection to server on the Internet, without being detected. This snort patch, based on "tcpstatflow" tool and written to be compiled with snort-2.6.1.1 using stream4 preprocessor, is designed with the purpose of fighting these tecniques, by detecting traffic that is not HTTP / HTTPS / FTP / SMTP, with a reasonable margin of error. It's based on the fact that these protocols present a huge asymmetry in the amount of data transmitted in one way and the oposite (within a single TCP connection). As an example, you could consider HTTP requests, where you have the browser sending a small packet with a GET command (and some extra overhead) and as a response, receives a web page, an image, or a download. The same asymmetry takes place in reverse, with SMTP. Your mail client sends your composition, and a small ACK is sent back from the server. Asymmetry. Keep that in mind. To apply this patch, you must: - Download snort source (snort-2.6.1.1.tar.gz) - Download snort patch (snort_covered_channels_detection.txt) - Apply the patch: patch -p0 <snort_covered_channels_detection.patch - Compile snort & Install - To configure, you must set the following two values in the config file: # detect_covered_channels [number] - Number of bytes to use as threshold to # detect covered channels, 0 to disable this check # # covered_channels_ports [list] - use the space separated list of ports in [list], # "all" will turn on detection for all ports, "default" will turn # on reassembly for ports 21, 25, 80 and 443 So, if the number of bytes on a ESTABLISHED TCP connection, is greater than "detect_covered_channels" threshold for both flows (from client to server, and from server to client), and it has a destination port in "covered_channels_ports" list, a standard snort alarm is generated with GID 111 and SID 26. Download from: http://geocities.com/fryxar/snort_covered_channels_detection.txt __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! ¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
