[Snort-users] [robert_david_graham at ...1688...: Re: [Snort-devel] Re: CanSecWest and ADMutate]

Fyodor fygrave at ...121...
Sun Apr 8 15:17:25 EDT 2001

kinda interesting. :) the 'intrusions' link might be helpful to those who are just stepping up into
attacks interpretation (well-documented, althrough kinda too luser-oriented :))

----- Forwarded message from Robert Graham <robert_david_graham at ...1688...> -----

From: Robert Graham <robert_david_graham at ...1688...>
Date:         Thu, 5 Apr 2001 01:35:23 -0700
To: FOCUS-IDS at ...220...
Subject:      Re: [Snort-devel] Re: CanSecWest and ADMutate
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Reply-To: Robert Graham <robert_david_graham at ...1688...>

From: Max Vision
> o length; abnormal amounts of data sent where not expected.  This is
>   best handled by a plugin that can parse the protocol.  Otherwise we
>   could have a signature for each plaintext protocol keyword to
>   watch for an overflow.  For SMTP, we could watch HELO, MAIL FROM,
>   etc etc where the "length" (as measured by the stream assembler)
>   exceeded a value we thought reasonable.  I believe IDS such as
>   BlackICE rely heavily on this type of detection, and although
>   more generic, probably catches more attacks.

Just in case people are curious, the list of BlackICE intrusions is at:
You can search for words like "overflow" and "long" on this page to check
out the buffer overflows detected. As Max says, they are generic. Often, all
buffer overflows in a protocol are marked as a single item, but as specific
exploits are released, we break them out as separate "signatures",
especially when we need to sync them up with a specific BUGTRAQ ID or CVE.

As Max indicates, BlackICE is not affected by ADMutate.

BTW, the presentations I gave at CanSecWest and DefCon8 partially discussed
this topic. They are at:
Since I'm too lazy to do speaker notes, I'm not sure how useful these will

Robert Graham
CTO/Network ICE

PS: The idea that all IDSs are based on pure pattern-match is outdated.
BlackICE uses a different technology, and even Snort (otherwise famous for
patterns) does a lot of stuff beyond pattern-match, as Marty demonstrated at

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

----- End forwarded message -----

PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-users mailing list