OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jerry Shenk (jasDECNS.COM)
Date: Thu Apr 26 2001 - 21:19:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    That's what tripwire does...if a file gets modified or a directory gets
    created, I want to know NOW!!!....and probably shut things down.

    -----Original Message-----
    From: Focus on Intrusion Detection Systems
    [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Mark Crosbie
    Sent: Thursday, April 26, 2001 4:47 PM
    To: FOCUS-IDSSECURITYFOCUS.COM
    Subject: Re: New method

    In message <1524.193.49.140.159.988290963.squirrelwww.loria.fr>, Matthieu
    Huin
     writes:

    Hi Matthieu,

    >Your adventure just shows the limitations of signature based detection,
    >like ADmutate and articles such as "50 ways to bypass IDS" did before :
    >this method implies a sufficient knowledge of the mechanics of an attack in
    >order to design a signature . This also means you have to see an attack
    >first ( or foresee it, this would be better ! ), then react . And what
    >about slight "mutations" of attacks ? Will your signature still match it ?

    Therein lies the problem with any method that focuses on what an
    attack *is* rather than what an attack *does*.

    There is a subtle semantic difference here: two attacks may look
    completely different, but they both may succeed in causing nfsd to
    coredump on a signal exit. The best way to detect such an attack is
    detect nfsd (or any network daemon) exiting unexpectedly with a core,
    not the sequence of odd-ball packets that causes the exit.

    Now some may argue "but I want to know any time anyone even tries that
    sequence of odd-ball packets". Those people have not had to deal with
    filtering alerts from an IDS console that lights up like a Christmas
    tree every time a script-kiddie runs a probde. So I feel that losing
    alerts which say "someone may have tried the foobar attack" and
    gaining alerts which say "your NFS server exited unexpectedly with a
    coredump" is a fair tradeoff. Thoughts anyone?

    I wonder has anyone seen any products/research that focus on what the
    various attacks do (i.e. the ultimate goal of the attack), rather than
    how they do it (i.e. how they craft packets)?

    Regards,
    Mark. 

    --
Mark Crosbie        	  http://www.hp.com/security/products/ids
HP Praesidium IDS/9000 Product Architect
Hewlett-Packard MS 47 LA
19447 Pruneridge Avenue   mcrosbiecup.hp.com
Cupertino, CA 95014       (408) 447-2308

    >Matthieu Huin
>Student-Engineer at the Ecole Nationale Supérieure des Mines de Nancy
>http://eleves.mines.u-nancy.fr/~huin/fake/filtres.html
>