bron | 2 Jul 05:01 2007
Picon

SMTP traffic


 I am sort of new to IDS. I am writing rule for IPS.  If i have a rule which requires monitoring the argument of
Mail From : SMTP command, then it may happen that my rule can get triggered inside the body of emails giving
me false positives. 
 
 Any suggestions how can i remove such false positives ?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Jose Nazario | 3 Jul 19:55 2007

Re: SMTP traffic

On Sun, 2 Jul 2007, bron <at> gmail.com wrote:

> I am sort of new to IDS. I am writing rule for IPS.  If i have a rule 
> which requires monitoring the argument of Mail From : SMTP command, then 
> it may happen that my rule can get triggered inside the body of emails 
> giving me false positives.

> Any suggestions how can i remove such false positives ?

if your IDS doesn't keep track of the SMTP dialogue (IIRC NFR used to, as 
an example), you can specify a maximum search depth for the MAIL FROM 
command. alternatively, if you have to write regular expressions, you can 
enforce the MAIL FROM command coming after the HELO or EHLO command and 
before the RCPT TO command. the regex's get a bit hairy there, though.

hope that helps.

________
jose nazario, ph.d.		    jose <at> monkey.org
http://monkey.org/~jose/ 	    http://monkey.org/~jose/secnews.html
 				    http://www.wormblog.com/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
(Continue reading)

max | 3 Jul 20:30 2007
Picon

Re: SMTP traffic

Hi ,

 Signature will have to be dependent upon some flag. When the value of flag is set then only the signature will
get activated. 

The value of flag will have to be set by some decoding signature. Decoding signature will parse the SMTP
traffic and set the value of flag. It will be at high priority as compared to the  other signatures. I have
written the psuedo code of decoding algo which sets the value of flag a.

 So to the FP free signature for Mail From command to prevent FP,will check the value of flag. If value of flag a
= 1, then only signature should get activated..





If (pattern="HELO" or “EHLO” or “LHLO”)
  
  STEP 1 {
Varible a = 1;   # HELO, EHLO LHLO are the first commands in SMTP  # Connection
         }

    If (pattern="DATA\r\n" or pattern=”DATA\n” GOTO STEP 2 else STEP 1)
 
  STEP 2 {
 	     
	      Variable a = 2; 
         }

    If (pattern="\n\r\n" or pattern=”\n\n” GOTO STEP 3 or STEP 2)
(Continue reading)

jasonj | 8 Jul 11:05 2007
Picon

Re: Detecting covert data channels?

 
If the data is encoded in the header then it might be very difficult the check the presence of covert
channels. www.2factor.us/tunnel.html has  discussed and implemented such kind of system where in
malicious covert channel is established by the unused header fields and the channel is encrypted.

 One of the solution (discussed at www.2factor.us/tunnel) for the IPS can be to normalize or enforce
policies in the unused header fields. This can prevent the malicious covert channel. 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Andres Riancho | 11 Jul 14:26 2007

TippingPoint detection bypass


(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_3Com_TippingPoint_IPS_Detection_Bypass_2.pdf
)

 
CYBSEC S.A.
www.cybsec.com

 
Pre-Advisory Name: TippingPoint detection bypass
==================

Vulnerability Class: Design flaw
====================

Release Date: 2007-07-04
=============

Affected Platforms:
===================
* TippingPoint IPS running TOS versions 2.1.x, 2.2.x prior to 2.2.5,
and 2.5.x prior to 2.5.2

Local / Remote: Remote
===============

Severity: High
=========

(Continue reading)

RS | 16 Jul 04:31 2007
Picon

CFP now open for ClubHack, India's own hackers' convention

Hi All
CFP is now open for ClubHack: India's own International Hackers' Convention.
They are planning to hold the event in the month of December in Pune, India.

CFP is open from 15th July & will close on 15th Oct.
For more details check out

http://clubhack.com

Happy Hacking
RS

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------

jeremy | 13 Jul 19:21 2007

Re: Detecting covert data channels?

The key question here is 'why?' If your goal is detection and forensics then collecting batches of data for
statistical analysis is likely to be both possible and the best approach. You'll want to analyze the data
in multiple dimensions to look for anomalies across volume, targets, protocol structure, sequencing,
fragmentation, metadata, etc. (Remember you covert channel may not be in the data at all it may be as subtle
as the timing of when the packets arrive or the order)
For this approach I'd tend to use tcpdump and various custom scripts doing the batch analysis.

If your goal is to prevent data leakage or generally prevent unmonitored communications then I think that
detection is mostly moot. Instead you should focus on prevention. In this case, analyze what you can and
what you care about and normalize the rest. All covert channels I can think of rely on using parts of the data
streams that are not used for the core protocol goals. Therefore normalizing traffic rates, header
fields, sequencing, fragmentation, etc will simply remove the opportunity for almost all covert channels.
You will, of course, still need the forensic approach above if you want to increase your confidence but as
you find each possible channel you'll probably only need to modify your normalization to remove it.

-J

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

anthony | 15 Jul 21:11 2007

tripwire failed???

I have discovered that my server has been compromised.  I believe it's
some sort of rootkit.  It has managed to circumvent both rkhunter and
tripwire.  The only reason I detected it is because I happened to run a
'ps' command when server was slow and noticed a connection from an
unwarranted user. I then 'netstat'ed.  Apparently, the attacker(s) is
utilizing a program that obfuscates their presence in the usual logging
areas as well.  I just "happened" to catch them.  'ps -aux' showed that an
UNKNOWN user was utilizing sshd.  I was able to parse output to a file for
further viewing. I would post 'log-files' but they show now indication of
compromise (s fr s I can tell)

I know that there are a plethora of rootkits in cirulation, but does
anyone know how I might detect/remove such  rootkit?  I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Any other tools I should be utilizing?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

nj006 | 16 Jul 05:28 2007
Picon

HTTP traffic


 When we write any rules for HTTP traffic will there be any issue of false positive ?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Pachulski, Keith | 17 Jul 18:32 2007
Picon

RE: HTTP traffic

If you buy a car, will it break down at some point?

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com]
On Behalf Of nj006 <at> gmail.com
Sent: Sunday, July 15, 2007 10:29 PM
To: focus-ids <at> securityfocus.com
Subject: HTTP traffic

 When we write any rules for HTTP traffic will there be any issue of
false positive ?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
(Continue reading)


Gmane