Dailydave mailing list archives
Re: WMF and the Windows Vulnerability Drought :>
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 02 Jan 2006 17:55:53 -0600
On Mon, 2006-01-02 at 16:20 -0500, Dave Aitel wrote:
If it's going to annoy you a lot when people pad the exploit to match an MTU header, then it's going to REALLY annoy you when we set our MTU size to be 40 bytes, and use tiny HTTP Chunks for a Gziped file over SSL after doing several prior null requests .
That's certainly true for most (all?) IDSes. Run the attack over SSL or use gzip (or compress or deflate), and the IDS is blind. (or IPS... and if it gunzips HTTP traffic first, throw a 0-bomb at it :) I'd like to think we did a good job getting a sig together that alerts on the vulnerability (not just the exploit) and survives a variety of evasive tactics. gzip of course left us in the dust. But it seems like we had a higher detection rate than desktop based AV :) An IDS is not a silver bullet, I think you know that. But that doesn't mean it's worthless either. We used it and continue to use it for identify web sites service malicious WMF files. We won't find them all, but we can make a dent. Yeah, bugs in code need to be fixed on a code level, not with network based stuff. What else is new? Except the year maybe. Happy New Year. Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- WMF and the Windows Vulnerability Drought :> Dave Aitel (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Barrie Dempster (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Joanna Rutkowska (Jan 02)
- Re[2]: WMF and the Windows Vulnerability Drought :> Thierry Zoller (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Joanna Rutkowska (Jan 02)
- Re[2]: WMF and the Windows Vulnerability Drought :> Thierry Zoller (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> H D Moore (Jan 02)
- RE: WMF and the Windows Vulnerability Drought :> El Nahual (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Orlando Padilla (Jan 03)
- Re: WMF and the Windows Vulnerability Drought :> Florian Weimer (Jan 03)
- RE: WMF and the Windows Vulnerability Drought :> El Nahual (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Frank Knobbe (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Michael A Stevens (Jan 04)
- RE: WMF and the Windows Vulnerability Drought :> Dave Korn (Jan 05)
- <Possible follow-ups>
- RE: WMF and the Windows Vulnerability Drought :> nahual () g-con org (Jan 04)