|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Unicode and IDS evasion
From: urandom (urandom
IO.COM)Date: Tue Oct 31 2000 - 21:55:55 CST
- Next message: MCKILLICAN, DONALD: "host ids service"
- Previous message: Talisker: "Re: Host IDS"
- In reply to: Robert Graham: "Re: Unicode and IDS evasion"
- Next in thread: Matt Baudendistel: "Re: mysql & snort (win32)"
- Reply: urandom: "Re: Unicode and IDS evasion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 31 Oct 2000, Robert Graham wrote:
> -----Original Message-----
> >From: Eric Hacker
>
> >Is it pattern matching or is it protocol analysis?
> >"It all boils down to pattern matching in the end."
I must agree with the point that Mr. Hacker stipulated. All you described
below was *another* form of pattern matching. Granted it may be a better
way to define a signature, but it is still pattern matching in its base
form. Any IDS system worth its salt will do "protocol analysis". BTW,
there are several other IDS systems that use the same technique you
mentioned for detecting rpc.statd attacks, so Network ICE doesn't hold a
monopoly on good signature design.
> Here is Network ICE's perspective (the full version, not the watered down
> version you likely saw in the whitepaper):
>
> We see an important difference between "pattern matching" and what we call
> "name matching". Let's use the example of "phf". I think it is very
> different whether you are looking for the pattern "phf" on port 80 vs.
> looking for a CGI script named "phf". In other words, you could pepper the
> three letters "phf" throughout a HTTP request and never see Network ICE
> trigger, because they aren't referring to a CGI script. Yet you could
> reference the "phf" script on any port, and Network ICE still triggers.
> Certainly, "name matching" is related to "pattern matching", but we think
> the difference is very important.
>
> In any event, Network ICE does lots of things that aren't remotely close to
> pattern matching. For example, consider the older rpc.statd overflow that
> compromised Sun Solaris boxes throughout the Internet in early 1999. Network
> ICE doesn't detect any of the exploit signatures patterns as the other IDSs
> do; instead, it analysizes the rpc.statd protocol and triggers on long
> filenames. The "pattern" that it triggers on is the number of characters,
> not any content within the filename.
>
> We started to see a rise in this signature being detected earlier this year.
> It wasn't due to the Solaris buffer-overflow, but a new format-string
> exploit in the RedHat version of rpc.statd. We were able to detect these
> protocol anomalies long before the specific vulnerability was known.
> http://www.networkice.com/advice/intrusions/2001702/
- Next message: MCKILLICAN, DONALD: "host ids service"
- Previous message: Talisker: "Re: Host IDS"
- In reply to: Robert Graham: "Re: Unicode and IDS evasion"
- Next in thread: Matt Baudendistel: "Re: mysql & snort (win32)"
- Reply: urandom: "Re: Unicode and IDS evasion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]