Re: [NSE] IDS behavior detection scripts

[Joao Correa <joao () livewire com br>]

Hi David,

Thanks for the answer,

On Mon, Mar 29, 2010 at 4:42 PM, David Fifield <david () bamsoftware com> wrote:
> On Mon, Mar 08, 2010 at 03:50:01AM -0300, Joao Correa wrote:
> > These two scripts were very helpful to me a few days ago, while
> > configuring and testing an IDS in a server. Maybe they could be useful
> > to someone else.
>
> I'm trying to decide whether to include these scripts in the
> distribution. Can you tell us more about the situation they helped you
> in? That will help us know what the typical use is and whether the
> scripts are generally useful.

I was configuring an IDS on the server and I wanted to check if it was
working correctly.

> > The main objective of these scripts is trying to identify IDS (or
> > should I call it IPS?) behaviors such as detecting and blocking
> > sql-injections and directory enumeration. I believe that the scripts
> > are self-explained, but if you have any question, I'll be here to
> > answer. If you guys decide that these scripts are interesting enough
> > to be merged to the main trunk, I think that maybe they should get
> > better names and a better output.
>
> It would be better if the scripts were not destructive (didn't
> potentially create a firewall rule) but I guess that is inherent in the
> way they work. What happens if you run the script twice against the same
> host? How about if you run it at the same time as sql-injection.nse?

Unfortunately these scripts are a little destructive, because they are
based on detecting if a firewall rule is created or not. As you
mentioned, this is the way they work.

If you run only sql-injection.nse against a server, suddenly you will
start receiving timeouts and after that you won't be able to discover
any page vulnerable. Also, you won't be noticed why it is happening.

If you run the ids detection script at the same time as sql-injection,
and a IDS is really running, the sql-injection script will start
receiving timeouts, as above mentioned, but at least the user will be
noticed about why he is not discovering any vulnerabilities.

Considering that the server is running an IDS, simply running the
script sql-injection.nse can jeopardize the whole execution of nmap,
because it will add firewall rules that, in most cases, are general,
blocking all the traffic from that source IP.

Maybe, instead of adding the scripts, we could add its functionality
to both sql-injection.nse and http-enum.nse. The problem about adding
it to sql-injection.nse is that  this script depends on spidering the
web server, what won't work fine (for ids detection) if your server is
hosting only a few pages that takes no parameters (which was my case
and motivated me to write the scripts). I suggest that, if you decide
that it is a good thing to include the functionality to sql-injection,
it runs the ids check before start the vulnerability check (something
like coping the ids script to the beginning of the sql-injection
script) so it won't have the problem above mentioned. For the
http-enum.nse I just think that the script can be easily merged,
because it does not depend on spidering the web server before.

Hope I've been enough clear, if you have any doubt, just ask!

If you think that it is a good choice, I can work on the patches. If
you prefer adding the scripts as they were written, I will also be
glad.

Thanks again,
João.

> David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/