From: Max Vision
> o length; abnormal amounts of data sent where not expected. This is
> best handled by a plugin that can parse the protocol. Otherwise we
> could have a signature for each plaintext protocol keyword to
> watch for an overflow. For SMTP, we could watch HELO, MAIL FROM,
> etc etc where the "length" (as measured by the stream assembler)
> exceeded a value we thought reasonable. I believe IDS such as
> BlackICE rely heavily on this type of detection, and although
> more generic, probably catches more attacks.

Just in case people are curious, the list of BlackICE intrusions is at:
http://www.networkice.com/advice/intrusions
You can search for words like "overflow" and "long" on this page to check
out the buffer overflows detected. As Max says, they are generic. Often, all
buffer overflows in a protocol are marked as a single item, but as specific
exploits are released, we break them out as separate "signatures",
especially when we need to sync them up with a specific BUGTRAQ ID or CVE.

As Max indicates, BlackICE is not affected by ADMutate.

BTW, the presentations I gave at CanSecWest and DefCon8 partially discussed
this topic. They are at:
http://www.robertgraham.com/slides
Since I'm too lazy to do speaker notes, I'm not sure how useful these will
be.

Cheers,
Robert Graham
CTO/Network ICE

PS: The idea that all IDSs are based on pure pattern-match is outdated.
BlackICE uses a different technology, and even Snort (otherwise famous for
patterns) does a lot of stuff beyond pattern-match, as Marty demonstrated at
CanSecWest.

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]