Re: Cisco IOS Shellcode - McAfee IPS Protection

From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 08/08/05

  • Next message: Joshua Krage: "Re: Updating Enterasys Dragon NIDS signature..." 
    Date: Mon, 08 Aug 2005 13:22:02 -0400
To: focus-ids@securityfocus.com

    At 06:25 PM 8/4/2005, Joel Esler wrote:

    >How can they have "0-day" if ISS (makers of RealSecure and proventia
    >IDS) announced the vuln? Wouldn't that lead us to believe that ISS
    >had it first?

    It depends on what they are detecting and/or blocking. For example,
    we added rules to look for un-encrypted Cisco command shells in
    our NeVO product. We have similar rules for UNIX and Windows shell
    detection which is trivial to evade, but extremely effective in the
    wild.

    Since the IDS/IPS guys are more on the detect/prevent side, I
    would expect them to focus on stuff like instruction sets for the
    CPUs used in various Cisco products and anomalies in protocols
    used by routers/switches like RIP, tftp, SNMP, .etc. Many of these
    concepts (like blocking protocol anomalies in SNMP) have been in
    IPS products for several years already.

    > Beyond that, it's been a week, I am sure that all the major IDS
    > venders have it.

    I think most of them are relying on existing technology. For example,
    a quick check of snort.org and bleedingsnort.org didn't have any new
    cisco-specific rules, yet there are signatures to detect various Cisco
    attacks already.

    Ron Gula, CTO
    Tenable Network Security
    http://www.tenablesecurity.com

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Joshua Krage: "Re: Updating Enterasys Dragon NIDS signature..."

    Relevant Pages

    • RE: Value of IDS, ROI
      ... This is one of the big problems with IDS. ... more so if you've an online presence to protect. ... detecting them, and you should steer his/her investments toward a good IPS ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: Recommending an IDS system
      ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... into ONE inky-dinky "black box" that was maintained by a "security ... Like I said before, ISS ...
      (Security-Basics)
    • RE: Recommending an IDS system
      ... That feature is not an "Auto-Update" in Cisco. ... As for writing your own signatures, ... Subject: Recommending an IDS system ...
      (Security-Basics)
    • Re: Recommending an IDS system
      ... I'm running a smaller setup than your old employer attempted to run. ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... but the management of the signatures and ...
      (Security-Basics)
    • RE: CISCOs new IPS
      ... There is no way we would consider using their IPS units....their IDS have enough problems. ... Christoph, ... I can tell you from real world experience that Cisco has not been the best ...
      (Focus-IDS)