[Snort-devel] [robert_david_graham at ...83...: Rapid response]

Fyodor fygrave at ...1...
Fri Oct 20 07:47:11 EDT 2000

----- Forwarded message from Robert Graham <robert_david_graham at ...83...> -----

From: Robert Graham <robert_david_graham at ...83...>
Date:         Thu, 19 Oct 2000 21:19:37 -0700
To: FOCUS-IDS at ...84...
Subject:      Rapid response
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Reply-To: Robert Graham <robert_david_graham at ...83...>

>-- writing new signatures
>Have a look at www.whitehats.com, there is an hourly updated
>signature file. I think such service even commercial vendors don't supply.

Actually, a lot of vendors promote how fast they update. They even have
names for them like "rapid response" or some such. The problem isn't whether
you get the update rapidly, but whether the vendor actually responds in a
rapid manner in the first place. Now, I look at www.whitehats.com and
www.networkice.com and see that both have updates on their sites for the
latest IIS vulnerability (which is a HUGE vulnerability, BTW). Looking at
the other vendor's websites, I see nothing.

However, looking at the www.whitehats.com signature, I see that it only
checks for the string "%c1%1c" sent to port 80. This is the pattern of the
attack that was announced in the initial BUGTRAQ post, but it doesn't work
on most systems; the far more dangerous variant that was posted with full
exploit code uses "%c0%af". Moreover, I could list 20 more tiny variations
that exploit this in the identical way that would require 20 more
"signatures" to catch (which is why network-grep IDSs tend to have much
higher "signature counts" than protocol-analysis IDSs -- they need them to
do the same amount of work). If you test out the Network ICE update, you'll
find that it solves all these issues.

This morning I talked to two different customers who downloaded our update
we posted on Tuesday and who both saw the %c0%af variant attacks, but not
the %c1%1c variant that Whitehats is looking for.

In truth, Network ICE's response time is determined by how serious we think
the threat is, so you'll have a better average response time with Snort. On
the other hand, the point I'm trying to get across that whether its with
open-source or commercial, you can't trust that just because a vendor boasts
about how fast they can update in theory, they don't always do a good job at
it in practice.

Robert Graham
CTO/Network ICE

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

----- End forwarded message -----

Q:  How many supply-siders does it take to change a light bulb?
A:  None.  The darkness will cause the light bulb to change by itself.

More information about the Snort-devel mailing list