[Snort-users] [robert_david_graham at ...1688...: Re: [Snort-devel] Re: CanSecWest and ADMutate]

Fyodor fygrave at ...121...
Sun Apr 8 15:17:25 EDT 2001


kinda interesting. :) the 'intrusions' link might be helpful to those who are just stepping up into
attacks interpretation (well-documented, althrough kinda too luser-oriented :))


----- Forwarded message from Robert Graham <robert_david_graham at ...1688...> -----

From: Robert Graham <robert_david_graham at ...1688...>
Date:         Thu, 5 Apr 2001 01:35:23 -0700
To: FOCUS-IDS at ...220...
Subject:      Re: [Snort-devel] Re: CanSecWest and ADMutate
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Reply-To: Robert Graham <robert_david_graham at ...1688...>

From: Max Vision
> o length; abnormal amounts of data sent where not expected.  This is
>   best handled by a plugin that can parse the protocol.  Otherwise we
>   could have a signature for each plaintext protocol keyword to
>   watch for an overflow.  For SMTP, we could watch HELO, MAIL FROM,
>   etc etc where the "length" (as measured by the stream assembler)
>   exceeded a value we thought reasonable.  I believe IDS such as
>   BlackICE rely heavily on this type of detection, and although
>   more generic, probably catches more attacks.

Just in case people are curious, the list of BlackICE intrusions is at:
http://www.networkice.com/advice/intrusions
You can search for words like "overflow" and "long" on this page to check
out the buffer overflows detected. As Max says, they are generic. Often, all
buffer overflows in a protocol are marked as a single item, but as specific
exploits are released, we break them out as separate "signatures",
especially when we need to sync them up with a specific BUGTRAQ ID or CVE.

As Max indicates, BlackICE is not affected by ADMutate.

BTW, the presentations I gave at CanSecWest and DefCon8 partially discussed
this topic. They are at:
http://www.robertgraham.com/slides
Since I'm too lazy to do speaker notes, I'm not sure how useful these will
be.

Cheers,
Robert Graham
CTO/Network ICE

PS: The idea that all IDSs are based on pure pattern-match is outdated.
BlackICE uses a different technology, and even Snort (otherwise famous for
patterns) does a lot of stuff beyond pattern-match, as Marty demonstrated at
CanSecWest.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


----- End forwarded message -----

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list