Re: Assessment tools/Scanners

[ryan25 () wenet net (Ryan M. Ferris)]

Two major problems here:

a) complicated attacks and attack forms become push button simple quickly:
Today's black hat is tommorrow's script-kidde.  (Personally, I think if you
read it in phrack, it's script-kidde already...)
Today's nation-state is tommorrow's black-hat and so on.

This is just software development evolution.  What took raw assembly and C
yesterday is now tommorrow's push button kit *.exe. (i.e. www.rootkit.com)

 b) "people with money" don't have that many other options.  Pop quiz:

Someone name all the IDS (commercial or otherwise) that will reliably (say
90% or more with 5% or less false positive rate) detect:

TCP/IP hijacking
TCP/IP fragmentation and re-assembly
frag router attacks
arp cache and route poisoning

now name me the IDS that will reliably catch the same attacks (at the same
rate) at 25% (10/100baseT) utilization:

So while it is true that "you have to do something", the question becomes:

Is the something you did an 'out of date' shield that will now miss current
hacker penetration?  If so, then the process is horribly flawed, you should
forget about detection and concentrate on prevention and/or re-invent the
conception of an IDS.  Compare this type of  viral detection software.  Can
a virus maker survive that does not include the latest virus signatures?
Only if you have a long term government contract perhaps.  (And even then,
viral signature detection patches are now almost produced overnight in the
case of a new outbreak.)  Why do we hold IDS development to a different
standard?

Question:

Is is possible to do anomaly detection at layer 1?  Could a ASIC on a NIC be
built to decode signalling at layer 1 so that IDS and anomaly detection
could be responded to in hardware?

Ryan M. Ferris
ryan25 () wenet net

----- Original Message -----
From: Martin Roesch <roesch () clark net>
To: Dug Song <dugsong () monkey org>
Cc: <ids () uow edu au>
Sent: Tuesday, October 12, 1999 8:28 AM
Subject: Re: IDS: Assessment tools/Scanners

> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> --------------------------------------------------------------------------
-
> ---
> Dug Song wrote:
> > it only takes one person with "skillz" to produce an idiot-proof
exploit.
> > e.g. congestant - Phrack 54, article 10:
> >
> >         http://www.phrack.com/search.phtml?view&article=p54-10
>
> True enough, but you're never completely safe.  Secure yourself against
> script kiddies and you're still open to industrial espionage & the
> "Elite Blackhat".  Secure yourself against those guys and you're still
> wide open to nation-state level attackers, who don't play fair.  Secure
> yourself against *them* and you're not using computers anymore....
>
> > snort will alert on tiny IP fragments, sure. but it is easily eluded by
> > TCP message reordering (fragrouter -T9: out-of-order 1-byte TCP
segments),
> > and many other TCP-based attacks (overlapping segments, interleaved null
> > segments, etc.).
>
> Um, I think this assumes that Snort keeps state at all, which it
> doesn't.  In fact, the 1.X series has been kept intentionally
> stateless.  2.0 will be vulnerable to these attacks as soon as I get
> around to implementing fun stuff like TCP reassembly and IP defrag. :)
>
> > misuse detection systems also tend to miss simple application-level
> > subterfuge attacks. as a demonstration, i've added simple randomized
HTTP
> > URI encoding to the common cgichk exploit scanner:
> >
> >         http://www.monkey.org/~dugsong/tmp/cgichk3-dug.tar.gz
>
> Oh yes, completely.  OTOH, you have to do *something*, and just throwing
> your hands up in the air and eschewing electricity isn't a viable option
> for most people.  There are no total solutions, so you have to figure
> out what's useful given your financial and technical capabilities.  In
> the "no money but need some sort of IDS" market space, Snort is useful
> because it's free, comes with source, and does an adequate job of
> detecting the attacks in the script kiddie domain.  If people don't like
> that it doesn't do (for example) IP defrag yet, they can write a
> defragger (and send me the patches!) or they can wait until I get around
> to writing it.  People with money have other options.  :)
>
>
>      -Marty
>
> --
> Martin Roesch
> roesch () clark net
> http://www.clark.net/~roesch