mailing list archives
X-Force Response to ISS RealSecure's ability to address modified attack signatures
From: xforce () ISS NET (X-Force)
Date: Thu, 2 Mar 2000 16:12:51 -0500
-----BEGIN PGP SIGNED MESSAGE-----
This message is being sent in response to the recent postings on both the
IDS forum and on BugTraq regarding ISS RealSecure's ability to address the
modified attack signatures described in those postings.
NEW ATTACK SIGNATURES
When new attack types and evasive techniques are identified by ISS product
developers and ISS X-Force researchers, we update our products with
additional X-Press Updates to detect and block such attacks. Just as
anti-virus software must regularly release new virus definition files when
new viruses are found, Intrusion Detection Software such as RealSecure must
be updated when new attacks are developed and discovered.
ENHANCEMENTS TO NEXT REALSECURE RELEASE
ISS development is aware of the modified attacks described in the postings.
They have been addressed by engineering for the next major release of
RealSecure. As with any software product, RealSecure continues to develop
and evolve and so does the strength and scope of the attack signatures and
packet processing. The next RealSecure release contains numerous additions
and enhancements that will allow RealSecure to detect the modified attacks
described in the BugTraq posting.
FALSE POSITIVES FOR SENDMAIL ATTACKS
RealSecure's analysis of email messages is designed to enhance performance
by treating email headers and message content the same. While this can lead
to false positives under certain conditions, customers rarely receive such
false positives if RealSecure is configured properly. By turning off the Wiz
check, as recommended (since very few machines are vulnerable to the Wizard
backdoor), customers can reduce excessive false positives. Many RealSecure
signatures, like the email signatures, include advanced tuning options that
also help reduce positives. These advanced options allow you to configure
many parameters, such as how often an event must be seen within a
user-defined period of time before triggering a response. This functionality
is very flexible and allows users to configure this flood protection based
on many parameters, such as source and destination address and port.
WHISKER STEALTH MODES
A signature to detect a broader range of Whisker scans is already in the
engineering builds of RealSecure. We have verified and retested this
signature using the various Whisker modes to ensure comprehensive detection
of this program. The current development build has successfully detected
attempts to evade RealSecure using a variety of methods including stealth
MODIFIED IP FRAGMENTATION ATTACKS
The next release of RealSecure will detect more advanced IP fragmentation
attacks by adding enhanced IP Fragment re-assembly to the Network Sensor.
The IP Fragmentation re-assembly code has been successfully tested both
in-house and at various customer sites. This functionality has been
completely re-engineered to help prevent evasive techniques, such as the
ones described in the BugTraq posting.
In addition to including a variety of new signatures, the next release of
RealSecure will make it even easier to quickly add new signatures using
X-Press Updates. This feature already exists in other ISS SAFEsuite products
and allows ISS to respond more timely to new security threats.
ISS asks individuals to please report any bugs, new exploits, new
modifications to exploits, and any issues regarding ISS products to
support () iss net
ISS also recommends using the open discussion forum on ISS technology at
http://xforce.iss.net/maillists to seek answers. This forum also provides
many useful tips and advice on how to use RealSecure.
In addition, to ensure proper configuration, ISS recommends customers go
through an ISS intrusion detection training course. Customers may also
request assistance from ISS Consulting Group to help implement and properly
configure RealSecure in a specific environment.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
- X-Force Response to ISS RealSecure's ability to address modified attack signatures X-Force (Mar 02)