Don Parker Blog RSS

All Blogs  »  Don Parker Blog  »  Security Central  »  Blog article: Detecting hacks via outbound packets

Detecting hacks via outbound packets

Well we pretty much all know that Intrusion Detection Systems (IDS) are a security program based on signatures. These signatures can be ASCII or HEX patterns, and ports, amongst other fields. Well while an IDS will not catch everything, especially 0 day, you can still try to catch the hacker who dropped a 0 day on you. How you ask??? Well most hacks have a predictable end state ie: remote code execution via a command shell or similar type strategy. Well the trick is to then build signatures to catch such outbound command sessions. Yep, that means stuff like c:’ and c:’windows’system32 and the such. That plus the xp_cmdshell which could be the result of an SQL hack. These are some of the obvious ones to look for. What takes time is to look for the not so obvious signs of outbound connectivity -)

Technorati Tags: , , ,

This entry was posted on Tuesday, July 24th, 2007 at 3:45 pm and is filed under Security Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center