Intrusion Detection Systems mailing list archives

Re: Assessment tools/Scanners

From: roesch () clark net (Martin Roesch)
Date: Tue, 12 Oct 1999 11:28:37 -0400



Dug Song wrote:


it only takes one person with "skillz" to produce an idiot-proof exploit.
e.g. congestant - Phrack 54, article 10:

        http://www.phrack.com/search.phtml?view&article=p54-10


True enough, but you're never completely safe.  Secure yourself against
script kiddies and you're still open to industrial espionage & the
"Elite Blackhat".  Secure yourself against those guys and you're still
wide open to nation-state level attackers, who don't play fair.  Secure
yourself against *them* and you're not using computers anymore....

snort will alert on tiny IP fragments, sure. but it is easily eluded by
TCP message reordering (fragrouter -T9: out-of-order 1-byte TCP segments),
and many other TCP-based attacks (overlapping segments, interleaved null
segments, etc.).


Um, I think this assumes that Snort keeps state at all, which it
doesn't.  In fact, the 1.X series has been kept intentionally
stateless.  2.0 will be vulnerable to these attacks as soon as I get
around to implementing fun stuff like TCP reassembly and IP defrag. :)

misuse detection systems also tend to miss simple application-level
subterfuge attacks. as a demonstration, i've added simple randomized HTTP
URI encoding to the common cgichk exploit scanner:

        http://www.monkey.org/~dugsong/tmp/cgichk3-dug.tar.gz


Oh yes, completely.  OTOH, you have to do *something*, and just throwing
your hands up in the air and eschewing electricity isn't a viable option
for most people.  There are no total solutions, so you have to figure
out what's useful given your financial and technical capabilities.  In
the "no money but need some sort of IDS" market space, Snort is useful
because it's free, comes with source, and does an adequate job of
detecting the attacks in the script kiddie domain.  If people don't like
that it doesn't do (for example) IP defrag yet, they can write a
defragger (and send me the patches!) or they can wait until I get around
to writing it.  People with money have other options.  :)

     -Marty

-- 
Martin Roesch
roesch () clark net
http://www.clark.net/~roesch

Current thread:

Re: Pricing intrusions, (continued)
- - - Re: Pricing intrusions Fernando Trias (Oct 13)
    - Fragmentation Question Greg Shipley (Oct 13)
    - Re: Fragmentation Question Dug Song (Oct 14)
    - Re: Pricing intrusions Ryan M. Ferris (Oct 14)
    - Re: Pricing intrusions Stuart Staniford-Chen (Oct 13)
  - Re: Assessment tools/Scanners Greg Shipley (Oct 11)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 11)
    - Re: Assessment tools/Scanners Greg Shipley (Oct 12)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 12)
    - Re: Assessment tools/Scanners Dug Song (Oct 12)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 12)
    - Introduction mcondy (Oct 12)
    - Re: Assessment tools/Scanners Ryan M. Ferris (Oct 13)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 13)
    - RE: Assessment tools/Scanners Bill Royds (Oct 11)
    - Re: Assessment tools/Scanners Stuart Staniford-Chen (Oct 11)
    - Re: Assessment tools/Scanners Greg Shipley (Oct 12)