[Snort-users] [robert_david_graham at ...1688...: Re: [Snort-devel] Re: CanSecWest and ADMutate]
fygrave at ...121...
Sun Apr 8 15:17:25 EDT 2001
kinda interesting. :) the 'intrusions' link might be helpful to those who are just stepping up into
attacks interpretation (well-documented, althrough kinda too luser-oriented :))
----- Forwarded message from Robert Graham <robert_david_graham at ...1688...> -----
From: Robert Graham <robert_david_graham at ...1688...>
Date: Thu, 5 Apr 2001 01:35:23 -0700
To: FOCUS-IDS at ...220...
Subject: Re: [Snort-devel] Re: CanSecWest and ADMutate
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Reply-To: Robert Graham <robert_david_graham at ...1688...>
From: Max Vision
> o length; abnormal amounts of data sent where not expected. This is
> best handled by a plugin that can parse the protocol. Otherwise we
> could have a signature for each plaintext protocol keyword to
> watch for an overflow. For SMTP, we could watch HELO, MAIL FROM,
> etc etc where the "length" (as measured by the stream assembler)
> exceeded a value we thought reasonable. I believe IDS such as
> BlackICE rely heavily on this type of detection, and although
> more generic, probably catches more attacks.
Just in case people are curious, the list of BlackICE intrusions is at:
You can search for words like "overflow" and "long" on this page to check
out the buffer overflows detected. As Max says, they are generic. Often, all
buffer overflows in a protocol are marked as a single item, but as specific
exploits are released, we break them out as separate "signatures",
especially when we need to sync them up with a specific BUGTRAQ ID or CVE.
As Max indicates, BlackICE is not affected by ADMutate.
BTW, the presentations I gave at CanSecWest and DefCon8 partially discussed
this topic. They are at:
Since I'm too lazy to do speaker notes, I'm not sure how useful these will
PS: The idea that all IDSs are based on pure pattern-match is outdated.
BlackICE uses a different technology, and even Snort (otherwise famous for
patterns) does a lot of stuff beyond pattern-match, as Marty demonstrated at
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
----- End forwarded message -----
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
More information about the Snort-users