Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Security Discussion » Product or snort-sig for detecting/preventing unauthorized encrypted traffic

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Product or snort-sig for detecting/preventing unauthorized encrypted traffic


Posted by sipecup on September 10, 2007 11:55:12

This question pertains to the not so theoretical scenarios of either one of the following: A day-one Trojan horse attack where the attacker sets up a secure connection back to himself using a well know trusted port, such as 80 21 443. Or for instance, if a malicious user takes advantage of an open source tool such as openvpn to secure and route a connection out through a trusted port from within the company, effectively making all current security mitigations useless.

Is there any way that either snort or another product out there could detect an initializing secure connection whether it be SSL/TLS or IPSEC? I realize that once the connection is established it would be pretty hard to find, that's why I say initializing. But if there's a way to detect one thats already established that would be fine too!

Thanks in advanced!

Posted by RayPesek on September 11, 2007 17:16:49

www.bleedingthreats.net has sigs that detect encrypted traffic on unusual ports.

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port?view=markup

Ray

Posted by sipecup on September 12, 2007 03:57:35

Thanks Ray, I'll give it a shot!

Posted by sipecup on September 24, 2007 17:47:46

alert tcp any any -> any 21 (msg:"OpenVPN on Port 21"; content:"|52 53 41 20 47 65 6e 65 72 61 74 65 64|"; sid:2000000;)

My own personal dilemma, this will do the trick for Openvpn but it needs some refinement...

still need to figure out how deep into the packet I want to go before the rule takes effect as to not overload the CPU.

Posted by sipecup on September 24, 2007 17:49:14

snort detect openvpn traffic unusual port socket

(that was for google in case someone else has this problem) :)
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.