Re: Packet/Protocol Anomaly Detection with IDS

From: hibano haleluya (hibano_at_hotmail.com)
Date: 05/25/05

Next message: PPowenski_at_oag.com: "RE: IDS ISS"

Previous message: Venkatesh G S: "New to Snort !!!"
In reply to: Joachim Schipper: "Re: Packet/Protocol Anomaly Detection with IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: j.schipper@math.uu.nl, focus-ids@securityfocus.com
Date: Wed, 25 May 2005 05:01:39 +0000

Hi,

I juz wanna add some info.

Normally all standard services are already defined in RFC.

But sometimes, these services alway be attacked from intruders by using weak
points of applications by using un-standard packet which defined by RFC.

Such as packet range in DNS query, or any packets which are included
abnormal flag bits. If some applications get any abnormal input like these,
they will be attacked.

Good IDS & IDP must capture non-standard packets for checking and
preventing.

PS. May not be best describe, apologize me in advance. :))

regards,

Hibano

>From: Joachim Schipper <j.schipper@math.uu.nl>
>To: focus-ids@securityfocus.com
>Subject: Re: Packet/Protocol Anomaly Detection with IDS
>Date: Fri, 20 May 2005 17:40:49 +0200
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.26]) by
>mc10-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 24 May 2005
>16:58:33 -0700
>Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
> via smtpd (for mc10.bay6.hotmail.com [65.54.166.230]) with ESMTP;
>Tue, 24 May 2005 16:58:33 -0700
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
>957F2144DA3; Tue, 24 May 2005 17:21:39 -0600 (MDT)
>Received: (qmail 9634 invoked from network); 20 May 2005 16:12:25 -0000
>X-Message-Info: 6sSXyD95QpXuwHD2WyQCQY3U/NWogCbP5cCNv2AASg8=
>Mailing-List: contact focus-ids-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <focus-ids.list-id.securityfocus.com>
>List-Post: <mailto:focus-ids@securityfocus.com>
>List-Help: <mailto:focus-ids-help@securityfocus.com>
>List-Unsubscribe: <mailto:focus-ids-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:focus-ids-subscribe@securityfocus.com>
>Delivered-To: mailing list focus-ids@securityfocus.com
>Delivered-To: moderator for focus-ids@securityfocus.com
>Mail-Followup-To: focus-ids@securityfocus.com
>References: <20050519205055.30251.qmail@www.securityfocus.com>
>User-Agent: Mutt/1.4.2i
>X-GnuPG-key: 3D6A8A5F, available at http://jschipper.dynalias.net/key
>X-GnuPG-fingerprint: 23E2 60F6 28DE BC9F 3E5D 414D 39CA 2BF4 3D6A 8A5F
>X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on
>mail.securityfocus.com
>X-Spam-Status: No, score=0.3 required=5.0 tests=AWL,FORGED_RCVD_HELO
>autolearn=failed version=3.0.0-r20550
>X-Spam-Level: Return-Path:
>focus-ids-return-6096-hibano=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 24 May 2005 23:58:33.0346 (UTC)
>FILETIME=[7DF82620:01C560BC]
>
>On Thu, May 19, 2005 at 08:50:55PM -0000, Harald Frlinger wrote:
> >
> >
> > Hi Community,
> >
> > im a student, and at the moment im searching
> > for some input to write my exam.
> >
> > The title is "Packet/Protocol Anomaly Detection with IDS", i already got
>some good input.
> > But some things are quiet hard to find.
> >
> > What i need is some examples on attacks,
> > on specific protocols, like ftp, http, tcp ...
> > I know there are attacks like Dos or Buffer Overflows.
> > But i need some more.
> >
> > Maybe you can tell me some good ressources or
> > examples.
> >
> > Thanks all, and sorry for my english.
> >
> >
> > mfg
> > harry
>
>Hello Harry,
>
>one thing I recently discovered was HTTP response splitting (known for
>some time, but hey - I can't know everything). Quite interesting.
>
>Some FTP implementations (wuftpd) react(ed) badly to LIST commands with
>lots of wildcards, which allows an easy DoS.
>
>Brute-forcing might be interesting too.
>
>There are many others, but I'm just a student myself... ;-)
>
> Joachim
><< attach3 >>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Next message: PPowenski_at_oag.com: "RE: IDS ISS"

Previous message: Venkatesh G S: "New to Snort !!!"
In reply to: Joachim Schipper: "Re: Packet/Protocol Anomaly Detection with IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Intrusion Prevention requirements document
... The tools consider one interface as "client" and other ... Packet 1 is first sent out on client interface. ... > my previous company was Blade Software where I developed IDS Informer ... Up to 75% of cyber attacks are launched on shopping carts, ...
(Pen-Test)
Re: ISS Proventia email overflow
... Is the email spam or did is it from a known good source? ... I took from a packet capture in the smtp portion of the packet ... In buffer overflow attacks, an attacker supplies data that is longer ...
(Focus-IDS)
Re: ISS Proventia email overflow
... I took from a packet capture in the smtp portion of the packet ... In buffer overflow attacks, an attacker supplies data that is longer ... with real-world attacks from CORE IMPACT. ...
(Focus-IDS)
Re: How to determine TCP/IP pack source IP spoofing?
... Maybe I don't have a concern -- if the packet is external and spoofed the ... I guess you might say I'm working on a bait and trap ... project or at the very least bait and identify (since most remote attacks ... seem to come from outside the US) before the drone can even start other ...
(microsoft.public.windowsxp.security_admin)
Re: Smurf ,land attacks
... > Subject: AW: Smurf,land attacks ... > with "IP spoofing" you give a different source address to the packet. ... > Smurf is a DoS-Attack ...
(Security-Basics)