Re: Packet/Protocol Anomaly Detection with IDS

["hibano haleluya" <hibano () hotmail com>]

Hi,

I juz wanna add some info.

Normally all standard services are already defined in RFC.

But sometimes, these services alway be attacked from intruders by using weak 
points of applications by using un-standard packet which defined by RFC.

Such as packet range in DNS query, or any packets which are included 
abnormal flag bits. If some applications get any abnormal input like these, 
they will be attacked.

Good IDS & IDP must capture non-standard packets for checking and 
preventing.


PS. May not be best describe, apologize me in advance. :))

regards,

Hibano



> From: Joachim Schipper <j.schipper () math uu nl>
> To: focus-ids () securityfocus com
> Subject: Re: Packet/Protocol Anomaly Detection with IDS
> Date: Fri, 20 May 2005 17:40:49 +0200
> MIME-Version: 1.0
> Received: from outgoing.securityfocus.com ([205.206.231.26]) by 
> mc10-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 24 May 2005 
> 16:58:33 -0700
> Received: from outgoing.securityfocus.com by outgoing.securityfocus.com     
>      via smtpd (for mc10.bay6.hotmail.com [65.54.166.230]) with ESMTP; 
> Tue, 24 May 2005 16:58:33 -0700
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 
> 957F2144DA3; Tue, 24 May 2005 17:21:39 -0600 (MDT)
> Received: (qmail 9634 invoked from network); 20 May 2005 16:12:25 -0000
> X-Message-Info: 6sSXyD95QpXuwHD2WyQCQY3U/NWogCbP5cCNv2AASg8=
> Mailing-List: contact focus-ids-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <focus-ids.list-id.securityfocus.com>
> List-Post: <mailto:focus-ids () securityfocus com>
> List-Help: <mailto:focus-ids-help () securityfocus com>
> List-Unsubscribe: <mailto:focus-ids-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:focus-ids-subscribe () securityfocus com>
> Delivered-To: mailing list focus-ids () securityfocus com
> Delivered-To: moderator for focus-ids () securityfocus com
> Mail-Followup-To: focus-ids () securityfocus com
> References: <20050519205055.30251.qmail () www securityfocus com>
> User-Agent: Mutt/1.4.2i
> X-GnuPG-key: 3D6A8A5F, available at http://jschipper.dynalias.net/key
> X-GnuPG-fingerprint: 23E2 60F6 28DE BC9F 3E5D  414D 39CA 2BF4 3D6A 8A5F
> X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on 
> mail.securityfocus.com
> X-Spam-Status: No, score=0.3 required=5.0 tests=AWL,FORGED_RCVD_HELO 
> autolearn=failed version=3.0.0-r20550
> X-Spam-Level: Return-Path: 
> focus-ids-return-6096-hibano=hotmail.com () securityfocus com
> X-OriginalArrivalTime: 24 May 2005 23:58:33.0346 (UTC) 
> FILETIME=[7DF82620:01C560BC]
>
> On Thu, May 19, 2005 at 08:50:55PM -0000, Harald Frlinger wrote:
> >
> >
> > Hi Community,
> >
> > im a student, and at the moment im searching
> > for some input to write my exam.
> >
> > The title is "Packet/Protocol Anomaly Detection with IDS", i already got 
> some good input.
> > But some things are quiet hard to find.
> >
> > What i need is some examples on attacks,
> > on specific protocols, like ftp, http, tcp ...
> > I know there are attacks like Dos or Buffer Overflows.
> > But i need some more.
> >
> > Maybe you can tell me some good ressources or
> > examples.
> >
> > Thanks all, and sorry for my english.
> >
> >
> > mfg
> > harry
>
> Hello Harry,
>
> one thing I recently discovered was HTTP response splitting (known for
> some time, but hey - I can't know everything). Quite interesting.
>
> Some FTP implementations (wuftpd) react(ed) badly to LIST commands with
> lots of wildcards, which allows an easy DoS.
>
> Brute-forcing might be interesting too.
>
> There are many others, but I'm just a student myself... ;-)
>
>                 Joachim
> << attach3 >>



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------