OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Rapid response
From: Talisker (TaliskerNETWORKINTRUSION.CO.UK)
Date: Wed Oct 25 2000 - 11:52:08 CDT

Speed vs Quality
On the subject of signature quality, and vendor support I received an
update, for a product which will remain nameless just after DDOS raised it's
head, shortly after installing the update, the NIDS started alarming
indicating numerous hosts as a DDOS source, knowing the hosts concerned, I
thought it must be a false positive, but I contacted the vendor anyway to
find out what it was looking for, only to be told that the guy who dealt
with it was off sick and I would have to wait. A week later he contacted me
to say that the signature was unreliable and to switch it off.

Could be worse, we could have bought the product

Andy
http://www.networkintrusion.co.uk Talisker's comprehensive IDS & Scanner
List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall |
  | Inherit the earth |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo

The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.

----- Original Message -----
From: "Robert Graham" <robert_david_grahamYAHOO.COM>
To: <FOCUS-IDSsecurityfocus.com>
Sent: Friday, October 20, 2000 5:19 AM
Subject: Rapid response

> >-- writing new signatures
> >
> >Have a look at www.whitehats.com, there is an hourly updated
> >signature file. I think such service even commercial vendors don't
supply.
>
> Actually, a lot of vendors promote how fast they update. They even have
> names for them like "rapid response" or some such. The problem isn't
whether
> you get the update rapidly, but whether the vendor actually responds in a
> rapid manner in the first place. Now, I look at www.whitehats.com and
> www.networkice.com and see that both have updates on their sites for the
> latest IIS vulnerability (which is a HUGE vulnerability, BTW). Looking at
> the other vendor's websites, I see nothing.
>
> However, looking at the www.whitehats.com signature, I see that it only
> checks for the string "%c1%1c" sent to port 80. This is the pattern of the
> attack that was announced in the initial BUGTRAQ post, but it doesn't work
> on most systems; the far more dangerous variant that was posted with full
> exploit code uses "%c0%af". Moreover, I could list 20 more tiny variations
> that exploit this in the identical way that would require 20 more
> "signatures" to catch (which is why network-grep IDSs tend to have much
> higher "signature counts" than protocol-analysis IDSs -- they need them to
> do the same amount of work). If you test out the Network ICE update,
you'll
> find that it solves all these issues.
>
> This morning I talked to two different customers who downloaded our update
> we posted on Tuesday and who both saw the %c0%af variant attacks, but not
> the %c1%1c variant that Whitehats is looking for.
>
> In truth, Network ICE's response time is determined by how serious we
think
> the threat is, so you'll have a better average response time with Snort.
On
> the other hand, the point I'm trying to get across that whether its with
> open-source or commercial, you can't trust that just because a vendor
boasts
> about how fast they can update in theory, they don't always do a good job
at
> it in practice.
>
> Robert Graham
> CTO/Network ICE
>
>
>
>
>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free yahoo.com address at http://mail.yahoo.com
>
>