IDS mailing list archives
RE: File-format based vulns - How do vendors detect them?
From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Mon, 14 Nov 2005 18:09:33 -0500
I work for ISS. The means of protection provided by vendors varies greatly for file format-based attacks. Some vendors simply include patterns for known file format exploits on the likely ports, the same as they would for protocol-based attacks they detect. Others can distinguish the file contents from the protocol contents and will exercise a different set of patterns against the file contents. ISS products have a set of file format parsers to complement our protocol parsers. That is, the products will step through the elements of the file looking for attempts to exploit vulnerabilities. For instance, to protect against any attempts to exploit CVE-2004-0200 (a buffer overflow in JPEG files), the ISS products will parse the file on the fly identifying and examining each tag to report any that contain a length that would exploit vulnerable software. Because the product is organized as a multi-layered collection of protocol and file parsers, consistent detection and protection occurs regardless of whether the image was seen in a compressed HTTP download or as a BASE64 encoded attachment to a MIME encoded e-mail message. The ISS approach does not have a high false positive rate. The approach also has a very low false negative rate. It does take more resources to parse the file contents, but not significantly so. Even products based on simple pattern matching will typically have a low false positive rate as they will tend to match on long, but arbitrary, patterns from known exploits. This approach is also not significantly more resource intensive than pattern matching on protocols. However, the false negative rate is very high for this approach. Paul -----Original Message----- From: Joshua Russel [mailto:joshua.russel () gmail com] Sent: Wednesday, November 09, 2005 8:34 AM To: focus-ids () securityfocus com Subject: File-format based vulns - How do vendors detect them? Hi, After the recent announcement of file-format based vulnerabilities in MS Patch Tuesday, I was wondering how do IPS/IDS vendors claim to protect against them (most of them like TippingPoint claim to do so). Do they scan data transfer streams (SMTP, FTP, HTTP etc) for these malicious files or is it a local check? If they do detect it on the network doesn't it screw up their device due to high chance of false positives and high resource consumption. --Joshua ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- File-format based vulns - How do vendors detect them? Joshua Russel (Nov 09)
- RE: File-format based vulns - How do vendors detect them? David Goodrum (Nov 14)
- <Possible follow-ups>
- RE: File-format based vulns - How do vendors detect them? Palmer, Paul (ISSAtlanta) (Nov 16)