Yo! Craig Chamberlain wrote: > This has been an area of interest for me for some time. It's very true > the regexp based detection technologies can produce high rates of false > positives and are easily evaded. It's not uncommon for data leaks to > take place over vpns; a case study like this was presented at blackhat > this year. Even without encryption, the number of possible obfuscation > techniques is quite large (and we're assuming the data is ASCII; there > are probably enough obscure back end applications with binary protocols > to keep a good sized protocol dissector development team frustrated > indefinitely).
I think detecting ccn with snort is mostly to spot accidental leaks - database replicas, logging, (unencrypted) backups or so. You have to adjust your signatures to detect the type of encoding your backend uses. > I've seen some good success combining specification based techniques - > like these regexps - with behavioral detection - such as using netflow > or other flow data, for example, to detect unexpected large or long > duration data streams headed for places that don't makes sense (e.g. > foreign networks, foreign countries or external networks with which no > business relationship exists). It seems to often be the case that > systems containing high-value data have a predictable enough network > behavioral repertoire that this kind of behavioral detection performs > acceptably. Detecting suspicious flows is a good idea anyway - with or without credit card numbers potentially floating about. > This kind of behavioral detection, optionally corroborated with > available specification based detection such as regexp detects, can have > acceptably low false positive rates. Another advantage of flow data is > that it is hard to evade detection of the fact that you're moving a lot > of data; you can obfuscate and encrypt the traffic but you can't conceal > the fact that a quantity of traffic (and presumably data, if the payload > is not garbage) is being transmitted. Of course, if an obvious attack of > some sort precedes all of this - with a resulting detect or detects from > an IDS to corroborate - then confidence is again higher. It is most likely possible to hide the fact that data is being transported as well (im sure you weren't actually trying to imply otherwise, just including it for the sake of completeness). Data could be transported in unused header fields of other data flows or just between other similar legetimate flows. Siim ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
