RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability




As an administrator, one can create a 'Policy violation' signature. freeSSHD
daemon is sending string "SSH-2.0-WeOnlyDo 2.0.3" upon client connection.
It seems that 'WeOnlyDo' is the name of company which made this software.
2.0.3 could be software internal version. You could write a signature which
checks for string 'WeOnlyDo' and possibly version string.

Srini


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Ravi Chunduru
Sent: Friday, June 06, 2008 5:22 PM
To: Focus IDS
Subject: Help in writing Network IDS/IPS signature to detect sftp
vulnerability

Hi,

Check this disclosure at

http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0101.html

the attack data is encrypted within the encrypted SSH. Without
having to decrypt the SSH, is there any clever way to detect this
(using some kind of anomaly on the packet size, type of characters
etc.. )?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Re: ISS - virtual patching
    ... The X-Force decides if the signature should be a blocking or an audit ... Once upon a time I was in the X-Force AR&D team. ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: IDS detection approaches
    ... I would completely go with a signature based IDS. ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: login attempt admin/password
    ... i see this signature detect by IDS ... Test Your IDS ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Vulnerability & Exploit Signatures
    ... I doubt there is any licensing of base signatures between vendors ... (signature engines vary greatly between products, ... another products sigs). ... > CORE IMPACT. ...
    (Focus-IDS)