Below I have included a posting to the "snort-sigs" list, which is a mailing list to discuss the development of rules for the Snort IDS. The author of the email explained some of the differences between Snort and other pattern matching IDS systems, and RealSecure and Proventia. ISS X-Force had no such trouble developing protection against ProFTPD attacks because the PAM, or "Protocol Analysis Module" that is the heart of all ISS protection products is designed to detect exploits and attacks in all of their complexity, not simply by searching for a static pattern or regular expression.
Vulnerabilities and exploits today are so much more complex that even those released two years ago. Modern exploits and attacks are no longer simply sending too much data for one specific buffer and causing it to overflow. Many modern exploits appear nearly identical to normal, everyday traffic. These attacks are also not the simple one or two packet attacks of the past. Many new vulnerabilities can be exploited in several different ways, like recent Sendmail overflows (for which no complete Snort rules exist). Hackers are figuring out ways to bypass simple string-matching or pattern-matching IDS systems by simply modifying their exploits. More robust detection mechanisms including protocol analysis must be used in order to catch the first exploit, and all the variations that may appear later. Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D [EMAIL PROTECTED] 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Joe Stewart [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 3:18 PM To: [EMAIL PROTECTED] While trying to reproduce the recent ProFTPD vulnerability described by ISS ( http://xforce.iss.net/xforce/alerts/id/154 ) I have come to the conclusion that there is no way to write a concise Snort rule that would detect the condition of the vulnerability. The condition is that you have a large number of newlines (around 600 or more) in a single 1024-byte aligned chunk of the file being downloaded in ASCII. It doesn't matter if the newlines are contiguous or if they have other content randomly interspersed. A simple way to logically detect this is to count the number of occurances of 0x0A in a packet, no matter how they are arranged. However, there doesn't seem to be a way to do this with Snort. It seems when you are dealing with parsers in software, there are often conditions you get into where a particular character causes buffer sizes to be miscalculated (think sendmail prescan vulns), and that these conditions are not easily detected by Snort because of the myriad of ways they can be formatted, even though it seems as if it would be easy to spot. Is there a solution to this problem utilizing existing Snort features? -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
