If the data is encoded in the header then it might be very difficult the check the presence of covert channels. www.2factor.us/tunnel.html has discussed and implemented such kind of system where in malicious covert channel is established by the unused header fields and the channel is encrypted.
One of the solution (discussed at www.2factor.us/tunnel) for the IPS can be to normalize or enforce policies in the unused header fields. This can prevent the malicious covert channel. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
