IDS mailing list archives
RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability
From: "Srinivasa Addepalli" <srao () intoto com>
Date: Mon, 9 Jun 2008 13:21:22 -0700
As an administrator, one can create a 'Policy violation' signature. freeSSHD daemon is sending string "SSH-2.0-WeOnlyDo 2.0.3" upon client connection. It seems that 'WeOnlyDo' is the name of company which made this software. 2.0.3 could be software internal version. You could write a signature which checks for string 'WeOnlyDo' and possibly version string. Srini -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ravi Chunduru Sent: Friday, June 06, 2008 5:22 PM To: Focus IDS Subject: Help in writing Network IDS/IPS signature to detect sftp vulnerability Hi, Check this disclosure at http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0101.html the attack data is encrypted within the encrypted SSH. Without having to decrypt the SSH, is there any clever way to detect this (using some kind of anomaly on the packet size, type of characters etc.. )? thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Help in writing Network IDS/IPS signature to detect sftp vulnerability Ravi Chunduru (Jun 09)
- RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability Sergio Castro (Jun 09)
- Re: Help in writing Network IDS/IPS signature to detect sftp vulnerability Ravi Chunduru (Jun 10)
- RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability Srinivasa Addepalli (Jun 09)
- RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability Sergio Castro (Jun 09)