Dailydave mailing list archives

Re: Arbor-con

From: dave <dave () immunitysec com>
Date: Wed, 21 Jul 2004 07:57:38 -0400

Andre Gironda wrote:

On Tue, 20 Jul 2004 17:51:56 -0400, dave <dave () immunitysec com> wrote:

The use case is fairly interesting, and obviously applicable to
traditional intrusion detection/prevention. I think there are other
avenues that wern't discussed, of course, like automated attack/worm
packet signature development and deployment. (hmm. This host A seems
infected, it spewed string ABCD at host B. Then host B started doing the
same thing. Let's block all packets with string ABCD on that port from
any host to any host).


Hrmn... sounds too much like Bittorrent or a bunch of production SQL
servers talking.  Do you have a good example of how that might work?

Well, combine it with any half-assed algorithm that does worm detectionfirst - any sort of modeling and heuristics or basic pattern matchingalgo will work. Do it on a per-port (or per RPC service) basis.


So the code looks like this:

if worm_trigger_reached:

sigs=scan_non_baselined_packets_for_sigs() #generate a list ofsignatures by comparing packetsfilter_and_check_baselined_packets_for_sigs(sigs) #make sure wewouldn't block good packets and delete any sigs that do

  apply_new_sigs(sigs)


Won't catch SSL/ipsec worms though.
-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Arbor-con dave (Jul 20)
- Re: Arbor-con David Maynor (Jul 20)
- Re: Arbor-con ned (Jul 21)
  - Re: Arbor-con dave (Jul 21)
- Re: Arbor-con Andre Gironda (Jul 21)
  - Re: Arbor-con dave (Jul 21)