Re: Fw: IDS (ISS) and reverse engineering

[Andrew Plato <aplato () anitian com>]

In-Reply-To: <OFD1224CFB.DF7CA0BF-ON85256DEA.0077EC93 () qvc com>

re-submitted by the moderator's request - he asked not to cross-post)
> Recently I've got to listen to a marketing pitch by an ISS guy. He was
> going
> along the lines of "our X-force reverse-engineered Microsoft RPC libraries
> and created signatures..." and "we use protocol decoding, so we
> reverse-engineered various closed-source protocols in order to create out
> decoders".

Its not entirely accurate. I can't speak for ISS. I just sell and support their stuff. But it sounds like that pitch is 
slightly inaccurate.  

You can sniff network traffic all you want. And from that, you can often determine how a library is responding to 
particular behaviors. I suspect, what is really going on is that X-force is testing these libraries (like the MSRPC) 
and correlating that behavior to network traffic. There is nothing inherently illegal in that. 

This is also not any different from what other security research companies do. In a sense, they are testing other 
manufacturer's products. In ISS's case, however, there is a reason for that. If they can get a signature into their 
sensors before an exploit comes out, then using their products can protect you from the next bad worm. And so far, ISS 
has done a pretty good job in that space. They had sigs out to stop Blaster weeks before it hit. 


Andrew Plato, CISSP
President / Principal Consultant
Anitian Enterprise Security

---------------------------------------------------------------------------
---------------------------------------------------------------------------