IDS mailing list archives
Re: IDS alerts / second - Correlation - Virtualization
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Wed, 3 Aug 2005 02:26:01 +0530
On 02/08/05 13:19 -0400, Jason wrote: <snip>
Yes. Mail bodies traditionally are not run through eval(), but pattern matched. Stuff sent to scripts through mail is a different beast, and in general, that code is well written.Hrm. I'm pretty sure that attackers can comply with "traditionally" and yet still win. I also wouldn't agree that the scripts that handle automation are generally well written. This entire industry is based on failures in the same assumptions you are making here.
At least the ones I have dealt with have been quite well written, and rapidly fixed if/when bugs are found.
I have never seen any situation where a mail body contained a script which would be run automatically on a Unix system. Plus, you can just use a current scanner like amavisd-new to only allow valid commands to be sent to the script (per recipient specifications).Just because you have not seen it does not mean it is not there. Reference any outlook vuln or the below sendmail vuln. http://www.securityfocus.com/bid/6991 http://www.securityfocus.com/archive/1/313757
My point was about scripts in message bodies being automatically executed on Unix systems. And if you are worried about Sendmail issues, there are better alternatives available. Trying to defend against very very improbable events is simply not worth the effort, there are bigger holes to defend. The original point was about allowing only basic, validated traffic and blocking what we do not understand. I would make the assumption that the firewall _is_ written safely (otherwise you need a better firewall). Your example of the Sendmail vulnerability would not have gone through a Postfix/qmail box. It is perfectly possible to implement security systems properly. It takes effort. There are no short cuts. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 01)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 03)
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 02)