A good example of this is the latest Microsoft MS03-026 vulnerability. There are two ways to write detection. An "exploit-sig" would look for patterns found in known exploits. A "vuln-sig" looks for the structure of the vulnerability. ISS focuses more on "vuln-sigs" using "protocol-analysis" than any other vendor.
For example, as described in the Microsoft advisory, the vulnerability is because part of a UNC pathname in a DCOM remote activation request can overflow a buffer. We therefore decode the underlying protocols (e.g. MS-RPC, DCOM, and ISystemActivator) and look for the length of that buffer. Specifically, the Microsoft bug is when the machinename component of a UNC pathname exceeds 16 characters. (An example UNC pathname looks like \\MACHINE\C$\Foo\bar.doc). For example, if I send a MS-RPC/DCOM/ISystemActivator request with a UNC pathname of \\MACHINEXXXXXXXXXXXXXXXXXXXXXXXXXX\C$\Foo\bar.doc, then I will crash the MS-RPC/DCOM service. If I stuff the buffer with something other than XXX, I can cause it to remotely run my code. Because we trigger on the length of this machine name, we cannot be evaded by things like polymorphic shellcode or the other many techniques that evade pattern-matching systems. This means that we should not only catch the exploits in the wild, but we should also catch unknown exploits. ISS has developed our own exploits for this vulnerability, and they cannot be caught by our competitors. While there is not a well know set of exploits in the wild, we believe there are other private ones as well. RealSecure Guard is the inline version of our IDS (aka. intrusion prevention system). We believe it will stop all versions of this exploit, public or private. I can't guarantee it, of course, because if it were that easy to stop hackers, then the problem would have been solved long ago :-). But we probably know more about this exploit than anybody else outside of Microsoft, so we are pretty confident. Note that all of our competitors claim to also do "protocol-analysis" and "vuln-sigs", and that's true. However, they only do a little of it. When they release signatures for this Microsoft vuln, they will do so with exploit-sigs, not vuln-sigs. This is because ISS already had an MS-RPC protocol decoder, whereas they will have to figure out how to write one if they want to do a vuln-sigs, which takes time (the PAM module decodes over 100 protocols, all the other vendors decode between 10 and 30 protocols). --- John Taylor <[EMAIL PROTECTED]> wrote: > whoops! > > Forgot to stress that of course the PAM in Network Sensor helps detect > faster, improves throughput and can detect "unknown" new exploits but of > course as Network Sensor is a passive device it cannot block attacks so all > the RSKill work is still necessary. (Another reason why we use realSecure > Guard in-line rather than Network Sensor where possible). > > JT > > John Taylor | Director Security Products | Tolerant Systems Ltd | 01782 > 865026 | 07730 989255 > This electronic message contains information from Tolerant Systems, which > may be privileged or confidential. The information is intended for use only > by the individual(s) or entity named above. If you are not the intended > recipient, be aware that any disclosure, copying, distribution or use of the > contents of this information is strictly prohibited. If you have received > this electronic message in error, please notify me by telephone or email (to > the number or email address above) immediately. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 29, 2003 11:43 AM > To: [EMAIL PROTECTED] > Subject: RE: [ISSForum] PAM and Sensor Version 7.0 > > > Hi, > > PAM is the Protocol Analysis Module which was developed by Network ICE in > their Sentry, (Network Sensor), Guard, (in-line IPS) ICEAgent for Server > (Server Sensor)and ICEAgent for Desktop (Desktop Protector). Since the > purchase of Network ICE PAM has been gradually ported over to a number of > ISS products to complement the existing weaker Signature based detection. > The log filwe trailing capabilities where appropriate have been retained as > Network ICE did not cover this. > > PAM basically is very fast packet decode and analysis, very similar to > Sniffer if you know that as the same guys developed it who wrote Sniffer, > the difference is that PAM is many times faster in decoding than Sniffer > was. Taking windows as an example the simple methodology is that PAM in > conjunction with other software enables a decision to be reached before the > packet is applied to the upper layers of the ISO model hence an attack can > be detected and blocked BEFORE it does damage hence the term Intrusion > Protection asd opposed to Detection! > > Whilst all the older practices of RSKill etc are still maintained they are > now almost redundant as the PAM makes it possible to close a port and drop > an attack independant of any need to configure a RSKill, in addition as most > new attacks are made up from parts of old, and the PAM is looking at the > connection layer and monitorin the session it is possible to observe > protocol anomalies and packet content and actually block new exploits > without a signature. (Cool huh?) > > I installed the first prototype Guard from Network ICE in London on a vital > link in 2001, (talk about taking risks!!) and it actually detected and > stopped a new very serious exploit before it was made public! (cannot > remember if it was code red or Nimda!). PAM and RealSecure Guard are the > absolute stars of the IPS World, Guard handles 100MBps full duplex at > theoretically 100% load and if you install it behind your Firewall in-path > it protects all internet incoming attacks and by nature all desktops that > are browsing internet! (I absolutely LOVE RealSecure Guard, we have put in > hundreds and they work, unless we have to "tap" for dynamic load balanced > links we always install Guard rather than Network Sensor with Server Sensor > on all servers to protect from internal attack and desktop protector on > remote notebook PC's, in my humble view Network Sensor is yesterday's way of > doing things.) > > This is what makes ISS products the strongest in the market today. > > The PAM was incorporated into Network Sensor and Server Sensor with 7.0, it > was always in Guard and desktop protector. > > Hope this helps! > > John > > John Taylor | Director Security Products | Tolerant Systems Ltd | 01782 > 865026 | 07730 989255 > This electronic message contains information from Tolerant Systems, which > may be privileged or confidential. The information is intended for use only > by the individual(s) or entity named above. If you are not the intended > recipient, be aware that any disclosure, copying, distribution or use of the > contents of this information is strictly prohibited. If you have received > this electronic message in error, please notify me by telephone or email (to > the number or email address above) immediately. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 29, 2003 1:30 AM > To: [EMAIL PROTECTED] > Subject: [ISSForum] PAM and Sensor Version 7.0 > > > > Hi > > Can anyone help answering the following questions ? > > A) PAM > > What is PAM and how does it work ? > > Does it only appear in network sensor 7.0 and server sensor 7.0 but not > earlier > versions ? > > Where can I find an official documentation on it ? The only thing I can find > is > the "Server Sensor Advanced Tuning Parameters Reference Document" but none > for > the network sensor. I don't think it explains the concept clearly either. > > > B) Server sensor 7.0 > > Why is there suddenly a server sensor 7.0 for HP-UX but not for Solaris > while > there was only 6.5 for Solaris only ? > > > Are they planning to release a 7.0 for Solaris too ? > > > It is so confusing to me. > > > TIA > Bernard > > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo > > -- > Is anybody else reading your confidential e-mails? > > If you need to be SURE that they are not, find out how by clicking below. > > http://www.tolerant.com/products/spotlight.asp > > > This electronic message contains information from Tolerant Systems, which > may be privileged or confidential. The information is intended for use > only by the individual's) or entity named above. Be aware that any > disclosure, copying, distribution or use of the contents of this information > is strictly prohibited. If you have received this electronic message in > error, please notify me by telephone or email (to the number or email > address above)immediately. > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo > > -- > Is anybody else reading your confidential e-mails? > > If you need to be SURE that they are not, find out how by clicking below. > > http://www.tolerant.com/products/spotlight.asp > > > This electronic message contains information from Tolerant Systems, which may > be privileged or confidential. The information is intended for use > only by the individual's) or entity named above. Be aware that any > disclosure, copying, distribution or use of the contents of this information > is strictly prohibited. If you have received this electronic message in > error, please notify me by telephone or email (to the number or email address > above)immediately. > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
