headers
abhuyan | 2 Aug 2007 07:46
Picon

Re: Re: HTTP traffic

Yes, specially client-side based rules. It's always better to be bit exploit specific. On the server side,
chances are less if you write vulnerability specific, or some tactics to prevent false positive.
As abhi specified about the ms dos device name vulnerability, if we block just "com" will trigger FP for
requests like "3com" , ".com", "common" etc. So you need to *think* how-to counter it, may be look for a
space after 'com' or check no bytes follows after 'com', also keeping in mind various evasions tactics.
HTH

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Paul Halliday | 4 Aug 2007 03:14
Picon
Gravatar

Re: port mirroring for two targets

Providing you are referring to the same stream of data, you would not require 2.

I use numerous tools; netflow, snort, sancp, etc all utilizing the
same data from the same span port.

Why would you need two? Can you provide more detail on what exactly it
is you are trying to achieve?

> From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com]
> On Behalf Of JGolian <at> seznam.cz
> Sent: Wednesday, July 18, 2007 7:41 AM
> To: focus-ids <at> securityfocus.com
> Subject: port mirroring for two targets
>
> I need port mirrored data for snort and for ntop.
> How to make it? Is possible to create two mirroring ports?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
abhicc285 | 4 Aug 2007 12:00
Picon

Re: Re: Re: HTTP traffic


Instead of writing exploit specific rules to prevent false positives, I think it is much better to have an
understanding of protocol, and to have a signature or rule which will create a region where other
vulnerability specific rules can operate.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Zhihao | 6 Aug 2007 08:53
Picon

RE: tripwire failed???

It is probably a good idea to move on to Osiris, http://osiris.shmoo.com

It uses a client server architecture for the deployment of scanning agents
and the storage of the hashes. Another useful feature it has is the ability
to detect newly loaded kernel modules which I believe would had been a
little more helpful in your case.

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On
Behalf Of Stefano Zanero
Sent: Wednesday, 18 July, 2007 12:19 AM
To: anthony <at> synt3gra.com
Cc: focus-ids <at> securityfocus.com
Subject: Re: tripwire failed???

> I have discovered that my server has been compromised.  

Welcome to the happy club comprising... everybody who's ever managed a
server :D

> I believe it's
> some sort of rootkit.

You should also hunt for the way IN, otherwise you will never shut out
the attacker. The rootkit is a way to REMAIN in, not a way to get entry.

>  It has managed to circumvent both rkhunter and
> tripwire.

Cool. How are you running tripwire, exactly ? Is the list of hashes on
(Continue reading)

Permalink | Reply | 0 comments |
headers
hirosh | 8 Aug 2007 12:22
Picon

Re: Re: Re: HTTP traffic

Exploit specific means -> u have less idea about the vulnerability and u want to complete the rules fast??
If u have a good idea about vulnerability and u can do a better protocol or whatever parsing needed ,then why
go for
exploit specific ,IT dosent looks professional ,U can bypassed by just changing AAA to BBB bobo..

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 1 comment |
headers
Daniel Cid | 8 Aug 2007 04:39
Picon
Favicon

OSSEC v1.3 released

We are pleased to announce the general availability of
OSSEC version 1.3. This is one of our biggest releases
so far, our first under the GPLv3, with numerous new
features and bug fixes.

OSSEC is an Open Source Host-based Intrusion Detection
System. It performs log analysis, integrity checking,
Windows registry monitoring, rootkit detection,
real-time alerting and active response.

It runs on most operating systems, including Linux,
OpenBSD, FreeBSD, MacOS, Solaris and Windows.

This new version comes with the following major new
features:

    * User interface to manage the Windows Agent.
      http://www.ossec.net/dcid/?p=91
    * Support for Courier pop3/imapd logs.
    * Support for Cisco IOS logs.
    * Support for Symantec Web Security logs.
    * Support for SMF-SAV Sendmail filter logs.
    * Chinese Translation of the installation script.
    * Support for host-based policy monitoring and   
      enforcement on Windows systems:

http://ossec.net/wiki/index.php/Know_How:WindowsPolicy

More information at:
http://www.ossec.net/main/ossec-v13-released
(Continue reading)

Permalink | Reply | 0 comments |
headers
Abhishek Bhuyan | 8 Aug 2007 18:13
Picon

Re: Re: Re: HTTP traffic

abhicc - I didn't understand what you mean by "to have a signature or
rule which will create a region where other vulnerability specific
rules can operate."
What I meant to tell is, there are more chances for false positive in
client-side HTTP. Understanding of protocol is necessary, but I don't
understand how it's related to false positive. There might be a
vulnerability in a webserver where if GET request is more than 256
characters might crash, doesn't mean there cannot be GET request with
more than 256 characters. (if you consider writing generic filters)

hirosh - We are not coming to the argument of exploit Vs vulnerability
nor about how fast we can write rules. Say tackling file format
vulnerabilities, you can do some sort of file format decoder, but that
too will be complex. Specially client-side, there are way too many
evasion tactics. You can also be creative in writing exploit specific
filters :) If we just look for AAAA, it will be hard to survive in the
industry :)

-Abhishek

On 8 Aug 2007 10:22:39 -0000, hirosh <at> gmail.com <hirosh <at> gmail.com> wrote:
> Exploit specific means -> u have less idea about the vulnerability and u want to complete the rules fast??
>
> If u have a good idea about vulnerability and u can do a better protocol or whatever parsing needed ,then why
go for
>
> exploit specific ,IT dosent looks professional ,U can bypassed by just changing AAA to BBB bobo..
>
> ------------------------------------------------------------------------
> Test Your IDS
(Continue reading)

Permalink | Reply | 0 comments |
headers
hsalleeh | 8 Aug 2007 18:42
Picon
Favicon

Embedded IP inside HTTP packets

Hello,

Some of the HTTP packets contains IP Addresses inside the payload 
so, I want to get it ? how and using what? 
I know I can do it by decoding the HTTP payload using the RFCs as I did in other protocols BUT I couldn't find any
RFC that describe the format and the structure of the payload. if you know these RFCs ( explains these info.
) please refer me to it. 

if there is any solution , using snort or any thing please help me 
I am using snort with MySQL 
Thanks in advance 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 1 comment |
headers
Javier Reyna Padilla | 8 Aug 2007 23:08
Picon

Re: Shell Code detection patterns

http://blogs.iss.net/archive/SCH%20and%20Yahoo%21%20Webca.html

Just a little read about that!

yan <at> upnn.edu wrote:
>  Hi,
>
>  I am seeking for some reference material which can provide me information about detection of shell code
patterns in IPS
>
>
> Thanks
> Yan
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
> to learn more.
> ------------------------------------------------------------------------
>
>   

--

-- 
¡Saludos!

________________
(Continue reading)

Permalink | Reply | 0 comments |
headers
hirosh | 9 Aug 2007 05:57
Picon

Re: Re: Re: Re: HTTP traffic

>Say tackling file format vulnerabilities, you can do some sort of file format decoder, but that
too will be complex.

Boss ,All software will be complex if u want to achive better things .
a simple file format decoder is complex for u ,but for a  product it is necessery
dont u think so ?come out from ur capabilities and think about a product that need to be used in corporate networks.

>Specially client-side, there are way too manyevasion tactics.

interesting !!.But a Proper product should cover all these evasion tactics isnt it ?
instead of going for exploit specifc ,
Thats what i am trying to say ..
FPs are coming just because u need a better understanding of protocol and need a good parser ..

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |

Gmane