IDS mailing list archives

Re: Re: Re: HTTP traffic

From: "Abhishek Bhuyan" <abhuyan () gmail com>
Date: Wed, 8 Aug 2007 21:43:52 +0530

abhicc - I didn't understand what you mean by "to have a signature or
rule which will create a region where other vulnerability specific
rules can operate."
What I meant to tell is, there are more chances for false positive in
client-side HTTP. Understanding of protocol is necessary, but I don't
understand how it's related to false positive. There might be a
vulnerability in a webserver where if GET request is more than 256
characters might crash, doesn't mean there cannot be GET request with
more than 256 characters. (if you consider writing generic filters)

hirosh - We are not coming to the argument of exploit Vs vulnerability
nor about how fast we can write rules. Say tackling file format
vulnerabilities, you can do some sort of file format decoder, but that
too will be complex. Specially client-side, there are way too many
evasion tactics. You can also be creative in writing exploit specific
filters :) If we just look for AAAA, it will be hard to survive in the
industry :)

-Abhishek

On 8 Aug 2007 10:22:39 -0000, hirosh () gmail com <hirosh () gmail com> wrote:

Exploit specific means -> u have less idea about the vulnerability and u want to complete the rules fast??

If u have a good idea about vulnerability and u can do a better protocol or whatever parsing needed ,then why go for

exploit specific ,IT dosent looks professional ,U can bypassed by just changing AAA to BBB bobo..

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Re: HTTP traffic abhuyan (Aug 03)
- <Possible follow-ups>
- Re: Re: Re: HTTP traffic abhicc285 (Aug 07)
- Re: Re: Re: HTTP traffic hirosh (Aug 08)
  - Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 08)
- Re: Re: Re: Re: HTTP traffic hirosh (Aug 09)
- Re: Re: Re: Re: HTTP traffic maverick . avi (Aug 09)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 09)
- Re: Re: Re: Re: HTTP traffic kroudo (Aug 09)
  - Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 13)
  - Re: Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 14)