lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat Oct 22 03:33:08 2005 From: rodrigob at suespammers.org (Rodrigo Barbosa) Subject: Question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Oct 21, 2005 at 07:44:25PM -0500, Frank Knobbe wrote: > On Fri, 2005-10-21 at 18:36 -0200, Rodrigo Barbosa wrote: > > The IRC protocol is very easy to identify. > > I would suggest blocking the protocol itself, regardless of the port. > > Right. Unless it runs over SSL, then it's a bit harder to identify, > wouldn't you agree? > > PS: Yes, there are bots that are running IRC over SSL, so no "No one > does it" comments please. You would not get one of those from me. Specially since I have once encountered a malware that used ICMP echo as a covert channel. Even tho you can't particularly identify IRC over SSL, you can identify SSL. So, you can block it to any unexpected ports. Of course, the Bot can use IRC over SSL with destination port 443/tcp. In that case, the way to go would be to have a web proxy with authentication. Then again, the Bot can monitor IE (Firefox etc) and get the credentials, creating an HTTP connection (with SSL/TLS) and use it to tunnel the IRC protocol (there are plenty of HTTP tunneling softwares around). On that case, the way to go would be to have the proxy server only allowing connections to known good addresses, making sure there is no way to fool the proxy, including the possibility of an XSS vulnerability on one of those good server, which could be exploited to redirect the connection somewhere else. Even with all those possibilities, it is still a good idea to check for the IRC protocol on the border gateway/firewall, since many bots will use a simple IRC protocol to connect to an IRC server running on a given port. And it is much more likely to find an IRC server running on a non-standard port than it is to find a bot that will do all those possible tricks. I don't mean to attack you. You are right, and very much correct on your point. Please accept this e-mail as such. Yes, I think one should check for the IRC protocol, but that is not enough for someone to consider himself safe. With that, I agree with you. - -- Rodrigo Barbosa <rodrigob@...spammers.org> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDWaTepdyWzQ5b5ckRAgrwAJ9rI+FRPEyqOR3HRkUWMdluLgVjRACgvufo MfwouoU6ohHe7sKOavDzfLQ= =Bsq4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists