Intrusion Detection Systems mailing list archives
Re: Mod FWD
From: Dragos Ruiu <dr () v-wave com>
Date: Wed, 6 Sep 2000 13:28:33 -0700
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-owner () uow edu au NOTE: Remove this section from reply msgs otherwise the msg will bounce. SPAM: DO NOT send unsolicted mail to this list. UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au ----------------------------------------------------------------------------- On Wed, 06 Sep 2000, Jackie Chan wrote:
Not to argue with Marcus, but his quote of the fragmented attack going "unseen" is not totally correct. It is true that without packet reassembly one cannot correctly identify the type of attack that is taking place, however most IDS's that do not execute packet re-assembly DO alert on the fact that it saw fragmented packets, and from which source IP they originated from. So to clarify, packet re-assembly is required to categorize the attack taking place. It is not needed to merely detect the anomolous pattern of the fragmented packet stream.
Damn, and I usually like disagreeing with Mr. Ranum, but I have to side with him on this. I've just been updating my defragger code for snort and thinking a lot about this issue, and upon consideration.... There are whole classes of attack and obfuscation that are possible to sneak by if you don't reassemble or maintain enough cross-fragment state to do some consistency checks. Speaking from snort terms (but I'm sure it's applicable to other IDS system capabilities), the minfrag plugin, which predated my defrag plug-in and was a primary line of defense against frag attacks up until a little while ago, will only alert when fragments exceed certain thresholds, size, number.... and based on only these criteria, it is still possible to use fragmentation to sneak by some very nasty stuff and have the fragment detectors stay quiet as a rock... because to wire them any tighter would set off a string of falses on ordinary naturally occurring fragmented traffic.... Yeah, simple fragment detectors will catch the script kiddies using stock nmap -f, hping -f, and fragrouter, but don't kid yourself... without full fragment checking, there are still massive holes in your detection system and people can drive through a small tractor trailer full of shellcode or nasty cgi queries right past your very silent intrusion alarm that won't see a thing. And the old, "Well, we look at and filter the head fragment isn't that good enough?", you get from some IDS and firewall vendors makes me laugh... What's your IP address again? I know a few IRC channels that may be interested in building up their bot fleets... BTW the same statements could apply to web character notation and TCP reassembly, when looking for things like CGI probes. IDS is a tough job that requires hefty processing power and thoroughly optimized, full, implementations to do right, imho.... cheers, --dr -- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc
Current thread:
- Re: Mod FWD, (continued)
- Re: Mod FWD Jackie Chan (Sep 06)
- Re: Mod FWD Keiji Takeda (Sep 07)
- Re: Mod FWD mark . teicher (Sep 07)
- Re: Mod FWD Dragos Ruiu (Sep 08)
- Re: Mod FWD mark . teicher (Sep 08)
- Re: Mod FWD Keiji Takeda (Sep 08)
- Re: Mod FWD Richard Jones (Sep 08)
- Re: Mod FWD Jackie Chan (Sep 08)
- Re: Mod FWD Marcus J. Ranum (Sep 08)
- Message not available
- Re: Mod FWD Marcus J. Ranum (Sep 06)