RE: Stateful IDS?
From: robert_david_graham (robert_david_graham@yahoo.com)Date: 01/04/02
- Previous message: Mark Watts: "Re: how can I track networked games"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "robert_david_graham" <robert_david_graham@yahoo.com> To: "'Kevin Martin'" <KMartin@xcaliber.com>, <focus-ids@securityfocus.com> Date: Fri, 4 Jan 2002 14:01:34 +0900
This is what ISS calls a "decode" used for policy compliance and auditing --
it is not an intrusion signature. If your policy is that that every one on
your network should have Java turned off, then this signature should be
enabled. Otherwise, it should be disabled. It is disabled in the default
settings -- I think you turned on ALL possible events, which include these
decode/auditing features.
RealSecure is already fairly "stateful" -- it is doing exactly what you are
describing. It is looking at the response packets from an earlier HTTP
request, scanning them to see if they contain Java byte-codes. If it didn't
keep state, it wouldn't be able to do it.
Robert Graham
Lead Architect, ISS
PS: Actually, we tought our "stateful" technology as a competitive advantage
for our products.
PPS: There are some signatures in the current product that don't take
advantage of state as they should (some trojan sigs). This is one area we
are changing in the next release -- forcing all signatures to use state. We
are also dramatically increasing the types of state we keep, such as
cross-TCP-connection states in protocols like FTP, NetMeeting, RPC, etc.
> -----Original Message-----
> From: Kevin Martin [mailto:KMartin@xcaliber.com]
> Sent: Tuesday, January 01, 2002 2:23 AM
> To: focus-ids@securityfocus.com
> Subject: Stateful IDS?
>
>
> I'm in the middle of evaluating different NIDS and have
> noticed (specifically on ISS) a lot of http-java messages.
> Right now I'm monitoring on my Internet access point so my
> outbound traffic looks to come from a common address (due to
> NAT). When I evaluate the http-java messages that I'm seeing
> (and I'm only using this one service as an example...there
> are others that I see which are as a result of the same
> behavior) they appear to be java responses from valid
> websites back to connections that were initiated from
> internal clients. Now, I'd obviously like to filter these
> out as valid but don't see a way in the NIDS that I'm
> evaluating to make them look at this "statefully". Are there
> any NIDS out there that can do this (basically evaluate the
> response against an earlier connection from source host/port
> combination and not report as error)?
>
> Thanks.
>
> Kevin Martin kmartin@xcaliber.com
> Stafford Trading Inc. Chief Security Officer
> Chicago, IL 60604 TEL +1-312.356.4849
> 230 S. LaSalle, Ste. 688
- application/ms-tnef attachment: winmail.dat
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
- Previous message: Mark Watts: "Re: how can I track networked games"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
