|
IDS
mailing list archives
Re: Packet/Protocol Anomaly Detection with IDS
From: "hibano haleluya" <hibano () hotmail com>
Date: Wed, 25 May 2005 05:01:39 +0000
Hi,
I juz wanna add some info.
Normally all standard services are already defined in RFC.
But sometimes, these services alway be attacked from intruders by using weak
points of applications by using un-standard packet which defined by RFC.
Such as packet range in DNS query, or any packets which are included
abnormal flag bits. If some applications get any abnormal input like these,
they will be attacked.
Good IDS & IDP must capture non-standard packets for checking and
preventing.
PS. May not be best describe, apologize me in advance. :))
regards,
Hibano
From: Joachim Schipper <j.schipper () math uu nl>
To: focus-ids () securityfocus com
Subject: Re: Packet/Protocol Anomaly Detection with IDS
Date: Fri, 20 May 2005 17:40:49 +0200
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([205.206.231.26]) by
mc10-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 24 May 2005
16:58:33 -0700
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mc10.bay6.hotmail.com [65.54.166.230]) with ESMTP;
Tue, 24 May 2005 16:58:33 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
957F2144DA3; Tue, 24 May 2005 17:21:39 -0600 (MDT)
Received: (qmail 9634 invoked from network); 20 May 2005 16:12:25 -0000
X-Message-Info: 6sSXyD95QpXuwHD2WyQCQY3U/NWogCbP5cCNv2AASg8=
Mailing-List: contact focus-ids-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <focus-ids.list-id.securityfocus.com>
List-Post: <mailto:focus-ids () securityfocus com>
List-Help: <mailto:focus-ids-help () securityfocus com>
List-Unsubscribe: <mailto:focus-ids-unsubscribe () securityfocus com>
List-Subscribe: <mailto:focus-ids-subscribe () securityfocus com>
Delivered-To: mailing list focus-ids () securityfocus com
Delivered-To: moderator for focus-ids () securityfocus com
Mail-Followup-To: focus-ids () securityfocus com
References: <20050519205055.30251.qmail () www securityfocus com>
User-Agent: Mutt/1.4.2i
X-GnuPG-key: 3D6A8A5F, available at http://jschipper.dynalias.net/key
X-GnuPG-fingerprint: 23E2 60F6 28DE BC9F 3E5D 414D 39CA 2BF4 3D6A 8A5F
X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on
mail.securityfocus.com
X-Spam-Status: No, score=0.3 required=5.0 tests=AWL,FORGED_RCVD_HELO
autolearn=failed version=3.0.0-r20550
X-Spam-Level: Return-Path:
focus-ids-return-6096-hibano=hotmail.com () securityfocus com
X-OriginalArrivalTime: 24 May 2005 23:58:33.0346 (UTC)
FILETIME=[7DF82620:01C560BC]
On Thu, May 19, 2005 at 08:50:55PM -0000, Harald Frlinger wrote:
>
>
> Hi Community,
>
> im a student, and at the moment im searching
> for some input to write my exam.
>
> The title is "Packet/Protocol Anomaly Detection with IDS", i already got
some good input.
> But some things are quiet hard to find.
>
> What i need is some examples on attacks,
> on specific protocols, like ftp, http, tcp ...
> I know there are attacks like Dos or Buffer Overflows.
> But i need some more.
>
> Maybe you can tell me some good ressources or
> examples.
>
> Thanks all, and sorry for my english.
>
>
> mfg
> harry
Hello Harry,
one thing I recently discovered was HTTP response splitting (known for
some time, but hey - I can't know everything). Quite interesting.
Some FTP implementations (wuftpd) react(ed) badly to LIST commands with
lots of wildcards, which allows an easy DoS.
Brute-forcing might be interesting too.
There are many others, but I'm just a student myself... ;-)
Joachim
<< attach3 >>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
