IDS mailing list archives
Re: interesting paper on testing sig-based IDS
From: Jonathon Giffin <giffin () cs wisc edu>
Date: Mon, 28 Feb 2005 10:32:20 -0600
Kohlenberg, Toby wrote:
http://www.cs.ucsb.edu/~vigna/pub/2004_vigna_robertson_balzarotti_CCS04. pdf
You may also be interested in Automatic Generation and Analysis of NIDS Attacks by Rubin, Jha, and Miller from ACSAC 2004.
http://www.cs.wisc.edu/wisa/papers/acsac04/RJM04.pdf Abstract:A common way to elude a signature-based NIDS is to transform an attack instance that the NIDS recognizes into another instance that it misses. For example, to avoid matching the attack payload to a NIDS signature, attackers split the payload into seversl TCP packets or hide it between benign messages. We observe that different attack instances can be derived from each other using simple transformations. We model these transformations as inference rules in a natural-deduction system. Starting from an exemplary attack instance, we use an inference engine to automatically generate all possible instances derived by a set of rules. The result is a simple yet powerful tool capable of both generating attack instances for NIDS testing and determining whether a given sequence of packets is an attack.
In several testing phases using different sets of rules, our tool exposed serious vulnerabilities in Snort--a widely deployed NIDS. Attackers acquainted with these vulnerabilities would have been able to construct instances that elude Snort for any TCP-based attack, any Web-CGI attack, and any attack whose signature is a certain type of regular expression.
Disclaimer: I am part of the same research group as the authors of this paper.
Thanks, Jon -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- interesting paper on testing sig-based IDS Kohlenberg, Toby (Feb 28)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Shai Rubin (Mar 02)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Giovanni Vigna (Mar 02)
- Re: interesting paper on testing sig-based IDS Stefano Zanero (Mar 04)
- Re: interesting paper on testing sig-based IDS Richard Bejtlich (Mar 02)
- <Possible follow-ups>
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 04)
- RE: interesting paper on testing sig-based IDS Jose Maria Lopez Hernandez (Mar 06)
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 06)
- RE: interesting paper on testing sig-based IDS Brian Smith (Mar 06)
- RE: interesting paper on testing sig-based IDS Micheal Reynolds (Mar 06)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)