IDS mailing list archives
RE: File-format based vulns - How do vendors detect them?
From: "David Goodrum" <dgoodrum () nfr com>
Date: Thu, 10 Nov 2005 22:23:36 -0500
Hi Joshua, Disclosure: as per my email address, I work for NFR Security. File format vulnerabilities are not new; they've been out for well over a year. At NFR, we have a module (package) called "badfiles", oddly enough. It actually does byte level analysis. Here's a snippet from the comments in badfiles source code from the developer: #it collects file transmission bytestreams from compatible network #protocol state machines and performs quick decoding on file formats that #have been used as exploit transmission vectors, thus treating the file #format itself as a network data protocol.... "compatible network protocol state machines" include SMTP, IRC, HTTP & FTP. Regarding your question regarding resource consumption: Yes, doing this type of intensive file scanning absolutely takes resources. Doing these types of checks is _very_ CPU intensive. Our 4Gbps product actually has 17 CPU's in it because it's the only way to actually keep up with this type of stuff at these line speeds. Everybody wants everything in one box, and the only way to do it is to throw horsepower at it. We could probably do 10Gbps if people would take the 4Gbps product and just buy two, and on one box, only run badfiles stuff (essentially anti-virus), and on the other box, run the normal IPS/IDS stuff! Hope this answers your questions appropriately. If you need more details, lemme know, -dave -----Original Message----- From: Joshua Russel [mailto:joshua.russel () gmail com] Sent: Wednesday, November 09, 2005 8:34 AM To: focus-ids () securityfocus com Subject: File-format based vulns - How do vendors detect them? Hi, After the recent announcement of file-format based vulnerabilities in MS Patch Tuesday, I was wondering how do IPS/IDS vendors claim to protect against them (most of them like TippingPoint claim to do so). Do they scan data transfer streams (SMTP, FTP, HTTP etc) for these malicious files or is it a local check? If they do detect it on the network doesn't it screw up their device due to high chance of false positives and high resource consumption. --Joshua ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- File-format based vulns - How do vendors detect them? Joshua Russel (Nov 09)
- RE: File-format based vulns - How do vendors detect them? David Goodrum (Nov 14)
- <Possible follow-ups>
- RE: File-format based vulns - How do vendors detect them? Palmer, Paul (ISSAtlanta) (Nov 16)