Keystroke detection
Carter Bullard
carter at qosient.com
Tue Jan 22 17:25:40 EST 2013
Hey David,
Read the paper that describes the algorithm.
http://fodava.gatech.edu/files/reports/FODAVA-10-21.pdf
Basically its an inter-packet arrival rate test, as there needs to be a rhythm
that is somewhat variable, within certain speeds, that have a corresponding
" echo " reply like return traffic. Its not that they are packets that are encrypted,
you can configure it to test any TCP connection, whether its SSH or not.
Carter
On Jan 22, 2013, at 4:27 PM, David <lists at edeca.net> wrote:
> On 14/12/2012 22:10, John Gerth wrote:
>> On 12/14/2012 1:31 PM, Craig Merchant wrote:
>>> What client tools do I need to use to look for keystroke detection in encrypted sessions?
>>>
>> There are two facets to SSH keystroke detection:
>>
>> (1) telling the sensor to look for keystrokes in argus.conf
>> ARGUS_KEYSTROKE="ssh"
>
> Out of interest how does this handle other things that SSH can do, such
> as network tunneling, agent forwarding etc?
>
> Will packets containing that data also count as "keystrokes", because
> Argus cannot discern their contents?
>
> David
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130122/ce344870/attachment.bin>
More information about the argus
mailing list