IDS mailing list archives

RE: Anamoly based network IDS

From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Fri, 28 Mar 2003 02:36:55 -0500

From: vishal p [mailto:vishalsec () yahoo com]

Symantec MAnhunt is the good example for that..


Manhunt is actually a poor example.

Manhunt focuses on validating protocols: it watches network traffic to
see if it conforms to the official protocol specifications. If it
doesn't conform (i.e. is invalid), then it triggers an event.

What vendors like Network ICE, NFR, SecureNet Pro, ISS etc. have
traditionally called "protocol-anomaly detection" is a similar process
of watching network traffic looking for things that conform to the
official specification, but which appear to be abnormal.

For example, consider the SNMP protocol decode I wrote in my product. It
looks at the community string length field. It does two checks. One
check is to see if the "length" claims to be longer than the packet --
which is invalid. Another check tests it against the threshold length of
256 characters -- which is valid, but unusual.

Protocol-validation vs. valid-but-anomalous give very different results.
They are as much different in output as traditional pattern-match is
with either of them.

A good example of an anomaly signature is the following:
SQL_SSRP_StackBo  is (
        udp.dst == 1434
        ssrp.type == 4 
        ssrp.name.length > ssrp.threshold)
where ssrp.type is first-byte of packet
where ssrp.name is nul-terminated string starting at second byte
where ssrp.threshold defaults to 97

This signature was written for my IDS back in August of last year --
right after the vulnerability was announced. Unlike a pattern-match
systems (like Dragon or Snort), I didn't have to wait for Slammer to
appear in order to write detection for it. Unlike a protocol-validator
like Manhunt, I tested things which were legal as far as the protocol
was concerned, but which are strange/odd/weird/anomalous.

Note that most of the signatures in RealSecure are written in the manner
demonstrated by the signature above, though Symantec claims that
RealSecure doesn't support protocol-anomaly detection.


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

Current thread:

Anamoly based network IDS vishal p (Mar 27)
- Re: Anamoly based network IDS Lance Spitzner (Mar 27)
- <Possible follow-ups>
- RE: Anamoly based network IDS Graham, Robert (ISS Atlanta) (Mar 28)
  - Re: Anamoly based network IDS Brian Hernacki (Mar 28)