OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: robert_david_graham (robert_david_grahamyahoo.com)
Date: Thu Jan 03 2002 - 23:01:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This is what ISS calls a "decode" used for policy compliance and auditing --
    it is not an intrusion signature. If your policy is that that every one on
    your network should have Java turned off, then this signature should be
    enabled. Otherwise, it should be disabled. It is disabled in the default
    settings -- I think you turned on ALL possible events, which include these
    decode/auditing features.

    RealSecure is already fairly "stateful" -- it is doing exactly what you are
    describing. It is looking at the response packets from an earlier HTTP
    request, scanning them to see if they contain Java byte-codes. If it didn't
    keep state, it wouldn't be able to do it.

    Robert Graham
    Lead Architect, ISS

    PS: Actually, we tought our "stateful" technology as a competitive advantage
    for our products.

    PPS: There are some signatures in the current product that don't take
    advantage of state as they should (some trojan sigs). This is one area we
    are changing in the next release -- forcing all signatures to use state. We
    are also dramatically increasing the types of state we keep, such as
    cross-TCP-connection states in protocols like FTP, NetMeeting, RPC, etc.

    > -----Original Message-----
    > From: Kevin Martin [mailto:KMartinxcaliber.com]
    > Sent: Tuesday, January 01, 2002 2:23 AM
    > To: focus-idssecurityfocus.com
    > Subject: Stateful IDS?
    >
    >
    > I'm in the middle of evaluating different NIDS and have
    > noticed (specifically on ISS) a lot of http-java messages.
    > Right now I'm monitoring on my Internet access point so my
    > outbound traffic looks to come from a common address (due to
    > NAT). When I evaluate the http-java messages that I'm seeing
    > (and I'm only using this one service as an example...there
    > are others that I see which are as a result of the same
    > behavior) they appear to be java responses from valid
    > websites back to connections that were initiated from
    > internal clients. Now, I'd obviously like to filter these
    > out as valid but don't see a way in the NIDS that I'm
    > evaluating to make them look at this "statefully". Are there
    > any NIDS out there that can do this (basically evaluate the
    > response against an earlier connection from source host/port
    > combination and not report as error)?
    >
    > Thanks.
    >
    > Kevin Martin kmartinxcaliber.com
    > Stafford Trading Inc. Chief Security Officer
    > Chicago, IL 60604 TEL +1-312.356.4849
    > 230 S. LaSalle, Ste. 688


    _________________________________________________________
    Do You Yahoo!?
    Get your free yahoo.com address at http://mail.yahoo.com