Yo! Craig Chamberlain wrote: > Good point; what I'm suggesting is that while it's relatively easy to > hide or obfuscate the data itself, it is hard to conceal the fact > that data - or packets - are being transmitted, possibly using a > recognizable application protocol, to an unexpected destination, > which can be a useful last-ditch detection mechanism when the other > methods fail - or can be a useful corroboration when correlated with > the other detect data.
There is bound to be some sort of legitimate production traffic. For example, if there are https connections coming in to a specific machine and specific port. You can detect if that machine starts sending out data on its own or starts accepting connections on another port. However, if the same port starts serving credit card numbers (obfuscated) or even hides the credit card numbers in tcp sequence numbers (or does something even more subtle as serving them by changing the case of "A" letters in http connections from certain addresses) the movement of data should be extremely hard to detect. Siim ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
