RE: Protocol Specific Intrusion Detect/Prevention Systems.

["Arun Vishwanathan" <arun.vishwanathan () nevisnetworks com>]

Have you looked at this, 

http://www.modsecurity.org

Maybe you will get some more ideas.

Regards
Arun


-----Original Message-----
From: coder [mailto:elite.coder () ntlworld com] 
Sent: Tuesday, February 28, 2006 4:49 AM
To: security-basics () securityfocus com
Subject: Protocol Specific Intrusion Detect/Prevention Systems.

Hello Everyone,

Some of you may have seen many of my emails on this list and the other
lists, mainly asking about firewalls and filters.

Well, for some time now I have been researching within the realm of
filters,
firewalls, IDSs and IPSs for limitations within these areas for my
university thesis. I have to find a limitation within a current
computing
area and improve on it. Well it seems every time I come up with a great
idea, I find that someone else has gone an done it or the idea sucks.

Anyways, I have been reading a book on Intrusion Detection and
Prevention,
which covers the limitations of IDSs and IPSs... and I think I have come
up
with a great idea to improve on these, and I just want to run it by
people
that are in the security field.

It seems that current IDS/IPSs have several limitations... if they are
signature based, you have to wait for new signatures for a new attack,
if
they are anomaly based they have to be trained to the network traffic,
which
takes a while and also they are generic in the sense that they have to
detect attacks on all protocols/services.. which means lots of
rules/signatures to process and the signatures are not very generic in
the
sense that a signature will only detect one type of attack.

My idea is to create a service specific IPS, which just monitors one
services that it has been custom written for, so that it "fully
understands"
the service. So for example, the idea I have to the HTTP IPS will:

> Search for and store the names of all the folders within the wwwroot
folder, then, when a 404 error is returned the IPS will check to see if
the
user was way off in folders, or just out of range.. eg:
If the following folders were accessed that caused 404 errors were read
from
the IIS log file:

\afolder\annotherfolder\index.html
\afolder\annotherfolder\blah.html
\afolder\index.html

If these folders actually exist in the wwwroot, the IPS will just assume
that the user mistyped the filename or they assumed a file/folder that
didn't exist. BUT if these folders do not exist in the wwwroot folder,
then
the IPS will take it as a failed attack (after say 3 404s) and block the
IP.
The IPS will also store old folders that have been deleted (unless told
not
to, by the admin) for people that are linked to old pages that no longer
exist for Google etc.

> the IPS will scan for folders in the HTTP request that do not exist
within
wwwroot (Traversal attempt etc)
> the IPS will also scan for SQL within a POST/GET (Possible SQL
Injection)
> the IPS will scan for lots of characters that are the same and machine
language code (Possible buffer overflow)

And other generic attacks can be scanned for, the other thing that all
the
service specific IPSs will scan for are:

> SYN Floods.
> Port Scans (I assume this can be achieved by the IDS detecting an SYN
packet, but no ACK after X amount of time... the IPS can communicate
with
other service specific IPSs on the same host and "ask" if they had an
SYN
packet sent but no ACK)
> Low port numbers (src port < 1024), this will not result in a blocked
IP,
just an error sent back and the connection reset.
> Whois the attacking IP.
> Allow the admin to configure, which IPs can be unblocked, ignored
(i.e.
the CEOs IP should never be blocked). The admin page will also show
alerts
and the packet data.
> To detect if an attacker has killed the IPS, the IPS will do an insert
into a remote DB (where it stores alerts etc) every X mins... if the
admin
page shows that an insert has not been made in X mins, the admin knows
the
IPS was killed and also the last IP to have sent data.

I think the service specific intrusion detection scans that I have shown
above can be applied to all services.

Please let me know if this has been tried or if it is a good/bad idea.

Thanks for your input.

~Davie Elliott



------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity
Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------