RE: IDS detection approaches

["Nelson Brito" <nbrito () sekure org>]

> This is always something that exists as a threat by stateless
> protocols, it matters not that it is a null payload or a real payload,
> the result is the same, as is the reality that this is malicious
> traffic on the wire. I would argue that using a null payload is
> actually falling short of the goal of resource exhaustion in so far as
> the analyst can easily eliminate it. Sourcefire (Creators of Snort)
> also provides more automatic methods to do this work for the analyst
> by determining if the payload has any chance of affecting the target
> and adjusting the events accordingly. This serves to highlight the
> important events that need review and lower the relevance of the rest
> of the events.

That is the point here. NULL bytes shouldn't fire any event, due to the fact
that the end-point - the vulnerable server - ignore the NULL bytes, i.e.,
the SQL Server will respond as a valid request showing you the information
you have requested, but in this scenario the SNORT or any other that doesn't
check correctly the payload and the content will fire an attack event -
false positive. That is so old school, since the release of the evasion,
insertion and DoS bible, that any IDS/IPS mjust have protection against this
kind of attack.

As I said, and that is my last reply for this thread, if you cannot see or
see more than you should, you are not able to protect your network. Some of
the IDS/IPS has a protection "threshold" that when you reach the # the
IDS/IPS will shutdown the signature. Is that good? Can we consider an
IDS/IPS technology that protects itself instead of your network?

> There are several classes of thresholds available within Snort, which
> one used depends entirely on the need. From
> http://www.snort.org/docs/snort_htmanuals/htmanual_280/node330.html#Event_
> Thresholding
>
> There are 3 types of thresholding:
>
>     * limit
>
>       Alerts on the 1st m events during the time interval, then
> ignores events for the rest of the time interval.
>
>     * threshold
>
>       Alerts every m times we see this event during the time interval.
>
>     * both

You are missing the real thing here... You cannot fix this using thresholds,
because doing this you will fix the result when you should consider to
attack the cause of this: the signature.

Best regards.

Nelson Brito



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------