OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: The CVE (WAS: RE: IDS: RE: Ramping up for another review)
From: Ron Gula (rgulanetwork-defense.com)
Date: Fri Jul 14 2000 - 10:02:02 CDT


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
>RFP pointed something out
>to me last year that I found kind of amusing: someone released a CGI
>scanner that had a typo in the check list. This one vulnerable CGI (I
>can't remember which one it was, I'll have to go dig) was botched in this
>one scanner, and it has since shown up (botched) in several IDS products as
>well as vulnerability scanning products.

The other thought here is that the 'bad' probe is still a probe and may be
worth detecting. We've seen this happen with a number of CGI exploits
such as the SGI pfdisplay attack. We've also seen a lot of butthead hackers
compile x88 buffer overflow exploits on Sparcs and get the byte order
incorrect. Having signatures which look for reverse order sparc NOOPs is
incorrect, but it still may find hackers.

Ron Gula
Network Security Wizards