Intrusion Detection Systems

bron | 2 Jul 2007 05:01

SMTP traffic


 I am sort of new to IDS. I am writing rule for IPS.  If i have a rule which requires monitoring the argument of
Mail From : SMTP command, then it may happen that my rule can get triggered inside the body of emails giving
me false positives. 
 
 Any suggestions how can i remove such false positives ?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

headers

Jose Nazario | 3 Jul 2007 19:55

Re: SMTP traffic

On Sun, 2 Jul 2007, bron <at> gmail.com wrote:

> I am sort of new to IDS. I am writing rule for IPS.  If i have a rule 
> which requires monitoring the argument of Mail From : SMTP command, then 
> it may happen that my rule can get triggered inside the body of emails 
> giving me false positives.

> Any suggestions how can i remove such false positives ?

if your IDS doesn't keep track of the SMTP dialogue (IIRC NFR used to, as 
an example), you can specify a maximum search depth for the MAIL FROM 
command. alternatively, if you have to write regular expressions, you can 
enforce the MAIL FROM command coming after the HELO or EHLO command and 
before the RCPT TO command. the regex's get a bit hairy there, though.

hope that helps.

________
jose nazario, ph.d.		    jose <at> monkey.org
http://monkey.org/~jose/ 	    http://monkey.org/~jose/secnews.html
 				    http://www.wormblog.com/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.

(Continue reading)

headers

max | 3 Jul 2007 20:30

Re: SMTP traffic

Hi ,

 Signature will have to be dependent upon some flag. When the value of flag is set then only the signature will
get activated. 

The value of flag will have to be set by some decoding signature. Decoding signature will parse the SMTP
traffic and set the value of flag. It will be at high priority as compared to the  other signatures. I have
written the psuedo code of decoding algo which sets the value of flag a.

 So to the FP free signature for Mail From command to prevent FP,will check the value of flag. If value of flag a
= 1, then only signature should get activated..





If (pattern="HELO" or EHLO or LHLO)
  
  STEP 1 {
Varible a = 1;   # HELO, EHLO LHLO are the first commands in SMTP  # Connection
         }

    If (pattern="DATA\r\n" or pattern=DATA\n GOTO STEP 2 else STEP 1)
 
  STEP 2 {
 	     
	      Variable a = 2; 
         }

    If (pattern="\n\r\n" or pattern=\n\n GOTO STEP 3 or STEP 2)

(Continue reading)

headers

jasonj | 8 Jul 2007 11:05

Re: Detecting covert data channels?

 
If the data is encoded in the header then it might be very difficult the check the presence of covert
channels. www.2factor.us/tunnel.html has  discussed and implemented such kind of system where in
malicious covert channel is established by the unused header fields and the channel is encrypted.

 One of the solution (discussed at www.2factor.us/tunnel) for the IPS can be to normalize or enforce
policies in the unused header fields. This can prevent the malicious covert channel. 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

headers

Andres Riancho | 11 Jul 2007 14:26

TippingPoint detection bypass


(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_3Com_TippingPoint_IPS_Detection_Bypass_2.pdf
)

 
CYBSEC S.A.
www.cybsec.com

 
Pre-Advisory Name: TippingPoint detection bypass
==================

Vulnerability Class: Design flaw
====================

Release Date: 2007-07-04
=============

Affected Platforms:
===================
* TippingPoint IPS running TOS versions 2.1.x, 2.2.x prior to 2.2.5,
and 2.5.x prior to 2.5.2

Local / Remote: Remote
===============

Severity: High
=========

(Continue reading)

headers

RS | 16 Jul 2007 04:31

CFP now open for ClubHack, India's own hackers' convention

Hi All
CFP is now open for ClubHack: India's own International Hackers' Convention.
They are planning to hold the event in the month of December in Pune, India.

CFP is open from 15th July & will close on 15th Oct.
For more details check out

http://clubhack.com

Happy Hacking
RS

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------

headers

jeremy | 13 Jul 2007 19:21

Re: Detecting covert data channels?

The key question here is 'why?' If your goal is detection and forensics then collecting batches of data for
statistical analysis is likely to be both possible and the best approach. You'll want to analyze the data
in multiple dimensions to look for anomalies across volume, targets, protocol structure, sequencing,
fragmentation, metadata, etc. (Remember you covert channel may not be in the data at all it may be as subtle
as the timing of when the packets arrive or the order)
For this approach I'd tend to use tcpdump and various custom scripts doing the batch analysis.

If your goal is to prevent data leakage or generally prevent unmonitored communications then I think that
detection is mostly moot. Instead you should focus on prevention. In this case, analyze what you can and
what you care about and normalize the rest. All covert channels I can think of rely on using parts of the data
streams that are not used for the core protocol goals. Therefore normalizing traffic rates, header
fields, sequencing, fragmentation, etc will simply remove the opportunity for almost all covert channels.
You will, of course, still need the forensic approach above if you want to increase your confidence but as
you find each possible channel you'll probably only need to modify your normalization to remove it.

-J

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

headers

anthony | 15 Jul 2007 21:11

tripwire failed???

I have discovered that my server has been compromised.  I believe it's
some sort of rootkit.  It has managed to circumvent both rkhunter and
tripwire.  The only reason I detected it is because I happened to run a
'ps' command when server was slow and noticed a connection from an
unwarranted user. I then 'netstat'ed.  Apparently, the attacker(s) is
utilizing a program that obfuscates their presence in the usual logging
areas as well.  I just "happened" to catch them.  'ps -aux' showed that an
UNKNOWN user was utilizing sshd.  I was able to parse output to a file for
further viewing. I would post 'log-files' but they show now indication of
compromise (s fr s I can tell)

I know that there are a plethora of rootkits in cirulation, but does
anyone know how I might detect/remove such  rootkit?  I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Any other tools I should be utilizing?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

headers

nj006 | 16 Jul 2007 05:28

HTTP traffic


 When we write any rules for HTTP traffic will there be any issue of false positive ?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

headers

Pachulski, Keith | 17 Jul 2007 18:32

RE: HTTP traffic

If you buy a car, will it break down at some point?

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com]
On Behalf Of nj006 <at> gmail.com
Sent: Sunday, July 15, 2007 10:29 PM
To: focus-ids <at> securityfocus.com
Subject: HTTP traffic

 When we write any rules for HTTP traffic will there be any issue of
false positive ?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.

(Continue reading)

4	June 2011
3	May 2011
5	April 2011
29	February 2011
9	October 2010
1	September 2010
2	August 2010
44	July 2010
3	June 2010
4	May 2010
1	April 2010
3	March 2010
2	February 2010
1	January 2010
22	December 2009
2	November 2009
3	October 2009
9	September 2009
30	August 2009
39	July 2009
47	June 2009
23	May 2009
51	April 2009
104	March 2009
33	February 2009
19	January 2009
16	December 2008
22	November 2008
52	October 2008
6	September 2008
7	August 2008
20	July 2008
37	June 2008
61	May 2008
13	April 2008
12	March 2008
41	February 2008
43	January 2008
60	December 2007
29	November 2007
79	October 2007
45	September 2007
38	August 2007
26	July 2007
9	June 2007
31	May 2007
34	April 2007
106	March 2007
26	February 2007
25	January 2007
21	December 2006
24	November 2006
30	October 2006
35	September 2006
51	August 2006
48	July 2006
46	June 2006
59	May 2006
79	April 2006
70	March 2006
106	February 2006
90	January 2006
83	December 2005
63	November 2005
110	October 2005
81	September 2005
116	August 2005
154	July 2005
101	June 2005
101	May 2005
57	April 2005
166	March 2005
40	February 2005
138	January 2005
107	December 2004
93	November 2004
43	October 2004
116	September 2004
143	August 2004
87	July 2004
166	June 2004
106	May 2004
60	April 2004
141	March 2004
105	February 2004
112	January 2004
118	December 2003
134	November 2003
123	October 2003
70	September 2003
164	August 2003
89	July 2003
255	June 2003
75	May 2003
70	April 2003
53	March 2003
119	February 2003
182	January 2003
105	December 2002
70	November 2002
153	October 2002
150	September 2002
163	August 2002
143	July 2002
152	June 2002
83	May 2002
119	April 2002
161	March 2002
1	January 2002
2	March 2000

Mon	Tue	Wed	Thu	Fri	Sat	Sun

						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31