OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jerry Shenk (jasDECNS.COM)
Date: Thu Apr 05 2001 - 08:43:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Ya know, I thought about this yesterday a little too. It would depend on
    the site but for a simple site (obviously they're the easiest) running a web
    server, wouldn't it be possible to have an IDS monitor all 'http commands'
    coming from the client and know that there are certain parameters that are
    reasonable. Somebody yesterday suggested that idea for a POP user-string
    length limit. Most of these overflows get either crazy long, they're trying
    to pull up a page with odd directory mapping strings.

    Ya know what would be good...having something like portsentry that could
    block based on known, well defined http strings. If the guy tries a known
    exploit, lock the IP address for a day.

    -----Original Message-----
    From: Focus on Intrusion Detection Systems
    [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Joe Carnahan
    Sent: Wednesday, April 04, 2001 6:08 PM
    To: FOCUS-IDSSECURITYFOCUS.COM
    Subject: Re: Can (packet sniffers)ids not like AntiVirus

    --- darkeyes <darkeyes263.NET> wrote:
    > hi all:
    > In my finish college project i will make a
    > IDS based libpcap & libnids.But after these days , i
    > found that the packet sniffers ids is like some
    > AntiVirus software such as McAfee. We can only
    > analyse the exploit on the specifically System to
    > collect the rules.

    Or in other words, how could you ever detect a new
    exploit before the vendor releases a new "exploit
    definition" and you install that definition? It's
    true, with most IDSes, you're screwed. One approach
    that I've used in writing filters for SHADOW is to
    define my filters as something like

       tcp and not (
         <all acceptable traffic>
       )

    Now, here's the big problem with my own suggestion:
    That's good if you're just watching traffic patterns,
    since the set of "acceptable" things is finite. But,
    there's a limitless amount of acceptable content, so
    for content filtering, I don't know how you could
    improve on the signature-based model.

    Just some thoughts,
    Joe

    =====
    Joseph Carnahan
    haq4jcyahoo.com
    Home: (540) 361-4345
    Work: (540) 653-5798
       or (703) 697-6318

    __________________________________________________
    Do You Yahoo!?
    Get email at your own domain with Yahoo! Mail.
    http://personal.mail.yahoo.com/