IDS: Re: Help in writing Network IDS/IPS signature to detect sftp vulnerability

IDS mailing list archives

Re: Help in writing Network IDS/IPS signature to detect sftp vulnerability

From: "Ravi Chunduru" <ravi.is.chunduru () gmail com>
Date: Mon, 9 Jun 2008 18:03:04 -0700

thank you.   I guess I need to depend on access controls and version string.

Thanks
Ravi.

On Mon, Jun 9, 2008 at 11:55 AM, Sergio Castro <sergio.castro () unicin net> wrote:

When you don't have access to the signature, you always have access to the
behavior. You can use network behavior analysis to detect abnormal traffic
patterns, such as SSH traffic from unknown public IPs, or at unusual hours,
or unusual data transfer rates.
What IDS are you using?

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En
nombre de Ravi Chunduru
Enviado el: Viernes, 06 de Junio de 2008 07:22 p.m.
Para: Focus IDS
Asunto: Help in writing Network IDS/IPS signature to detect sftp
vulnerability

Hi,

Check this disclosure at

http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0101.html

the attack data is encrypted within the encrypted SSH.   Without
having to decrypt the SSH, is there any clever way to detect this (using
some kind of anomaly on the packet size, type of characters etc.. )?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



__________ NOD32 3167 (20080609) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

By Date By Thread

Current thread:

Help in writing Network IDS/IPS signature to detect sftp vulnerability Ravi Chunduru (Jun 09)
- RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability Sergio Castro (Jun 09)
  - Re: Help in writing Network IDS/IPS signature to detect sftp vulnerability Ravi Chunduru (Jun 10)
- RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability Srinivasa Addepalli (Jun 09)