NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2008-q2

Re: Help in writing Network IDS/IPS signature to detect sftp vulnerability

From: Ravi Chunduru (ravi.is.chundurugmail.com)
Date: Mon Jun 09 2008 - 20:03:04 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

thank you. I guess I need to depend on access controls and version string.

Thanks
Ravi.

On Mon, Jun 9, 2008 at 11:55 AM, Sergio Castro <sergio.castrounicin.net> wrote:
> When you don't have access to the signature, you always have access to the
> behavior. You can use network behavior analysis to detect abnormal traffic
> patterns, such as SSH traffic from unknown public IPs, or at unusual hours,
> or unusual data transfer rates.
> What IDS are you using?
>
> -----Mensaje original-----
> De: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] En
> nombre de Ravi Chunduru
> Enviado el: Viernes, 06 de Junio de 2008 07:22 p.m.
> Para: Focus IDS
> Asunto: Help in writing Network IDS/IPS signature to detect sftp
> vulnerability
>
> Hi,
>
> Check this disclosure at
>
> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0101.html
>
> the attack data is encrypted within the encrypted SSH. Without
> having to decrypt the SSH, is there any clever way to detect this (using
> some kind of anomaly on the packet size, type of characters etc.. )?
>
> thanks
> Ravi
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
> tro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
>
> __________ NOD32 3167 (20080609) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]