Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.

From: Michal Zalewski (lcamtuf@coredump.cx)
Date: 06/28/02 

Date: Fri, 28 Jun 2002 13:32:15 -0400 (EDT)
From: Michal Zalewski <lcamtuf@coredump.cx>
To: tHe fuJi <fujix2@hotmail.com>

On Fri, 28 Jun 2002, tHe fuJi wrote:

> If the IDS has a protocol analysis engine then a trained analyst could
> determine weather the host was compromised or not.

Hardly. There is an odd UDP packet containing something that looks like it
has a shellcode and some local command embedded in it. The packet is being
sent to an [n]talkd daemon. There is no response from the daemon. Was it
because the packet was dropped as invalid, or because the command was
executed successfully? Not all exploits would simply start an interactive
/bin/sh session on the socket. Without additional knowledge (examining the
target system or the daemon to determine how the packet would be handled
and whether it would actually trigger any vulnerability), you can't tell.

There's nothing about protocol analysis that could change it - the
analysis engine would not necessarily be the same as the implementation
your service is running, and thus, it can think the packet was valid while
it wasn't, or vice versa. Besides, protocol analysis engines are very
often even more vulnerable to all sorts of attacks than the service
itself, as demonstrated by tcpdump, ettercap and several other sniffers
many times. 

-- 
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/