I agree with Lee, the pre-amble to a buffer-overflow, say CRC32 attack for ssh1, could have a repeating pattern (maybe except for the return address repointing) [different memory size/operating systems]), which could give the possibility of an ids rule capture. Granted, any traffic post-compromise "might" be encrypted, between other compromised hosts, or more importantly "in-my-opinion" for administration by the attacker or scripts managed by the attacker. This could asssist in finding out more information about the source of the attacker, especially as you would have "their" source ip address. Don't forget, you could have various other give-away information in your IDS capture, such IP stack identification (through tcp/icmp etc). Another thought, the size of ssh the packets leaving the compromised host would be measurable too, as the worm/trojan/virus attempts to propergate itself, using the same code, recognisable pattern. (although random size packet padding might be an arse.) Stu ----- Original Message ----- From: "Adam Manock" <abmanockat_private> To: <incidentsat_private> Sent: Monday, February 11, 2002 7:39 PM Subject: Re: Steady increase in ssh scans > > >Here's my concern. With worms like nimda, lion, and others, sniffing is a > >major factor in analyzing the worm's propogation and exploitatoin > >methods. An ssh based worm could take sniffing out of the picture (the > >attack is over an encrypted service) and reduce forensic analysis to > >artifact examination. > > Looks like we may need some honeypots... > > The encrypted activities of a hypothetical SSH worm could be logged using a > honeypot and a network sniffing logger, one that just so happens to have > the honeypot's private SSH key. SSHmitm of the dsniff toolkit might provide > a good place to start with how to decrypt and log a sniffed SSH connection. > An alternative approach would be a deliberately man in the middle proxy a > SSH honeypot and make the proxy also "look" vulnerable to the worm. The > proxy would do then be able to cleartext log all of the worm generated > traffic, encrypted or not. > > Adam > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 13:08:30 PST