Dailydave mailing list archives

RE: File-format based vulns - How do IDS/IPS vendors detectthem?

From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 10 Nov 2005 10:38:00 -0500

-----Original Message-----
Subject: [Dailydave] File-format based vulns - How do IDS/IPS vendors
detectthem?

After the recent announcement of file-format based vulnerabilities in MS

Patch Tuesday, I

was wondering how do IPS/IDS vendors claim to protect against them (most

of them like

TippingPoint claim to do so).
Do they scan data transfer streams (SMTP, FTP, HTTP etc) for these

malicious files or is it > a local check? If they do detect it on the
network doesn't it screw up their device due to

high chance of false positives and high resource consumption.


Your network IDS can look into data streams for these exploits, but
typically one of two things happens.  Either the check is looking for
something (or multiple things) that come from known exploit code or it looks
for something unique to the vulnerability.  These methods both have
problems.  

The first method may miss exploits that the vendor didn't examine when
writing their signature, leaving you vulnerable and unaware.  It's bad, but
still fairly common practice.  Typically products that do this have R&D
teams that have been instructed to "teach to the test" as this form of
detection does well in trade magazine shoot-outs.  However, I think it's
obvious why these signatures don't do so well in the wild.

The second method casts a large net, and is likely to alert and/or shut down
connections that aren't actually part of an attack.  A good example of this
are the Bleeding Snort signatures for MS05-036, the previous Microsoft image
file format vulnerability.  What those signatures actually test for is the
number and size of embedded ICC tags inside of Jpeg or Gif image files.
These signatures generate plenty of false positives as lots sites use these
tags outside of the ICC standard.

In either case, your network IDS is only looking for tiny pieces of data to
alert on, which will not consume a large number of resources.  But you bring
up a good point.  The reason that detection methods like these are used is
because they're low-cost.  Better analysis is possible, but at resource
costs that don't scale.  At least not yet.


PaulM

Current thread:

File-format based vulns - How do IDS/IPS vendors detect them? Joshua Russel (Nov 09)
- Re: File-format based vulns - How do IDS/IPS vendors detect them? Matt Hargett (Nov 09)
- RE: File-format based vulns - How do IDS/IPS vendors detectthem? Paul Melson (Nov 10)