OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Rapid response
From: Martin Roesch (roeschMD.PRESTIGE.NET)
Date: Wed Oct 25 2000 - 01:49:07 CDT

Max Vision wrote:
>
> Hi, it is funny that you mention this because a few hours before you
> posted this message I had a signature on the site which detects the
> "%c0%af" variant/exploit (IDS433/web-iis-unicode-traversal-optyx).
>
> I entered these signatures in response to public exploit information
> being posted for each. There are quite a few signatures which are highly
> exploit-specific because snort and other free IDS do not yet support
> protocol inspection or even regex (with minor exception of Shoki which
> does support regex (http://www.meshuggeneh.net/shoki/)). You are right
> that there are huge limitations to the snort rules capability, and
> string-signature IDS in general (although regex would go a long way
> towards closing the gap).

Snort actually has a primitive regex capability (rule option "regex") in the
CVS code that's available, it allows simple single/multi- character
wildcarding. This is probably handled better in preprocessor space, but we
need better pattern matching techniques (Aho-Corasick) to make the protocol
analysis worth it.

> Would you mind disclosing the "20 or more tiny variations" of this attack
> that you have researched, since you have already done this work? You
> would be helping quite a large number of administrators. (disclosure
> request extended to anyone reading this message)

   -Marty 

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org