|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Rapid response
From: Max Vision (vision
WWW.WHITEHATS.COM)Date: Fri Oct 20 2000 - 09:05:58 CDT
- Next message: Joshua Krage: "Re: Validating IDS Rulesets"
- Previous message: rob: "Commercial vs. open source"
- Next in thread: Martin Roesch: "Re: Rapid response"
- Next in thread: Elliot Turner: "Re: Symantec IDS Experts????????????????????"
- Maybe reply: Max Vision: "Re: Rapid response"
- Reply: Martin Roesch: "Re: Rapid response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> From: Robert Graham <robert_david_grahamYAHOO.COM>
> Date: Thu, 19 Oct 2000 21:19:37 -0700
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Rapid response
>
> >Have a look at www.whitehats.com, there is an hourly updated
> >signature file. I think such service even commercial vendors don't supply.
>
...
> However, looking at the www.whitehats.com signature, I see that it only
> checks for the string "%c1%1c" sent to port 80. This is the pattern of the
> attack that was announced in the initial BUGTRAQ post, but it doesn't work
> on most systems; the far more dangerous variant that was posted with full
> exploit code uses "%c0%af". Moreover, I could list 20 more tiny variations
> that exploit this in the identical way that would require 20 more
> "signatures" to catch (which is why network-grep IDSs tend to have much
> higher "signature counts" than protocol-analysis IDSs -- they need them to
> do the same amount of work). If you test out the Network ICE update, you'll
> find that it solves all these issues.
>
Hi, it is funny that you mention this because a few hours before you
posted this message I had a signature on the site which detects the
"%c0%af" variant/exploit (IDS433/web-iis-unicode-traversal-optyx).
I entered these signatures in response to public exploit information
being posted for each. There are quite a few signatures which are highly
exploit-specific because snort and other free IDS do not yet support
protocol inspection or even regex (with minor exception of Shoki which
does support regex (http://www.meshuggeneh.net/shoki/)). You are right
that there are huge limitations to the snort rules capability, and
string-signature IDS in general (although regex would go a long way
towards closing the gap).
Would you mind disclosing the "20 or more tiny variations" of this attack
that you have researched, since you have already done this work? You
would be helping quite a large number of administrators. (disclosure
request extended to anyone reading this message)
Max Vision
http://whitehats.com/
- Next message: Joshua Krage: "Re: Validating IDS Rulesets"
- Previous message: rob: "Commercial vs. open source"
- Next in thread: Martin Roesch: "Re: Rapid response"
- Next in thread: Elliot Turner: "Re: Symantec IDS Experts????????????????????"
- Maybe reply: Max Vision: "Re: Rapid response"
- Reply: Martin Roesch: "Re: Rapid response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]