IDS mailing list archives
Re: Packet/Protocol Anomaly Detection with IDS
From: "hibano haleluya" <hibano () hotmail com>
Date: Wed, 25 May 2005 05:01:39 +0000
Hi, I juz wanna add some info. Normally all standard services are already defined in RFC.But sometimes, these services alway be attacked from intruders by using weak points of applications by using un-standard packet which defined by RFC.
Such as packet range in DNS query, or any packets which are included abnormal flag bits. If some applications get any abnormal input like these, they will be attacked.
Good IDS & IDP must capture non-standard packets for checking and preventing.
PS. May not be best describe, apologize me in advance. :)) regards, Hibano
From: Joachim Schipper <j.schipper () math uu nl> To: focus-ids () securityfocus com Subject: Re: Packet/Protocol Anomaly Detection with IDS Date: Fri, 20 May 2005 17:40:49 +0200 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.26]) by mc10-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 24 May 2005 16:58:33 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mc10.bay6.hotmail.com [65.54.166.230]) with ESMTP; Tue, 24 May 2005 16:58:33 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 957F2144DA3; Tue, 24 May 2005 17:21:39 -0600 (MDT)Received: (qmail 9634 invoked from network); 20 May 2005 16:12:25 -0000 X-Message-Info: 6sSXyD95QpXuwHD2WyQCQY3U/NWogCbP5cCNv2AASg8= Mailing-List: contact focus-ids-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <focus-ids.list-id.securityfocus.com> List-Post: <mailto:focus-ids () securityfocus com> List-Help: <mailto:focus-ids-help () securityfocus com> List-Unsubscribe: <mailto:focus-ids-unsubscribe () securityfocus com> List-Subscribe: <mailto:focus-ids-subscribe () securityfocus com> Delivered-To: mailing list focus-ids () securityfocus com Delivered-To: moderator for focus-ids () securityfocus com Mail-Followup-To: focus-ids () securityfocus com References: <20050519205055.30251.qmail () www securityfocus com> User-Agent: Mutt/1.4.2i X-GnuPG-key: 3D6A8A5F, available at http://jschipper.dynalias.net/key X-GnuPG-fingerprint: 23E2 60F6 28DE BC9F 3E5D 414D 39CA 2BF4 3D6A 8A5FX-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on mail.securityfocus.com X-Spam-Status: No, score=0.3 required=5.0 tests=AWL,FORGED_RCVD_HELO autolearn=failed version=3.0.0-r20550 X-Spam-Level: Return-Path: focus-ids-return-6096-hibano=hotmail.com () securityfocus com X-OriginalArrivalTime: 24 May 2005 23:58:33.0346 (UTC) FILETIME=[7DF82620:01C560BC]On Thu, May 19, 2005 at 08:50:55PM -0000, Harald Frlinger wrote: > > > Hi Community, > > im a student, and at the moment im searching > for some input to write my exam. >> The title is "Packet/Protocol Anomaly Detection with IDS", i already got some good input.> But some things are quiet hard to find. > > What i need is some examples on attacks, > on specific protocols, like ftp, http, tcp ... > I know there are attacks like Dos or Buffer Overflows. > But i need some more. > > Maybe you can tell me some good ressources or > examples. > > Thanks all, and sorry for my english. > > > mfg > harry Hello Harry, one thing I recently discovered was HTTP response splitting (known for some time, but hey - I can't know everything). Quite interesting. Some FTP implementations (wuftpd) react(ed) badly to LIST commands with lots of wildcards, which allows an easy DoS. Brute-forcing might be interesting too. There are many others, but I'm just a student myself... ;-) Joachim << attach3 >>
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Packet/Protocol Anomaly Detection with IDS Frlinger (May 19)
- Re: Packet/Protocol Anomaly Detection with IDS Joachim Schipper (May 24)
- Re: Packet/Protocol Anomaly Detection with IDS hibano haleluya (May 28)
- Re: Packet/Protocol Anomaly Detection with IDS Joachim Schipper (May 24)