Dailydave mailing list archives
Re: The Hydrogen hundred dollar challenge
From: Ron Gula <rgula () tenablesecurity com>
Date: Thu, 14 Apr 2005 14:30:36 -0400
Dave Aitel wrote:
I was reading a weblog the other day, where a person complained because Hydrogen (http://www.immunitysec.com/products-hydrogen.shtml) was too hard to write a Snort signature for. I guess my position is that if your network can be owned by less than 100K of code which I wrote in my spare time five years ago, then it's time to upgrade to a system that can't. Anyways, I will give $100 dollars to the first person who posts a snort or nfr signature that can detect my private (slightly modded) version of Hydrogen. (i.e. make it reasonably generic, and let's not have it false-positive every time I browse the web). The idea here is to show that everything doesn't have to be spoon-fed to you Gerber-style.
We wrote a NeVO (our passive vulnerability and compromise sniffing product) signature to detect a system with the server running Hydrogen. The main part is pretty simple in NeVO language: pbmatch=>00 bmatch=>000001100000001E000000000000 This basically says to look at any session, and if the 1st byte of the client side is '0x00', then look at the other side and see if the first sequence of bytes is '000001100000001E000000000000'. NeVO then flags the host as having Hydrogen running on it and it shows up in the vulnerability report. The sig could be modified so that anytime it actually fired, a realtime alert can be generated so it would act more like an IDS. I was concerned that there would be false positives with SSL connections, streaming media and other sort of protocols that put random crap in the connection, but since this locks onto the beginning of TCP sessions, we haven't had any false positives across our user base that we know of. <sales pitch> Of course, anyone can change the protocol to evade this sort of detection. In that case, NeVO would still lock onto the communications channel and say that machine foobar communicated with machine foobar-prime and they have had an encrypted or possibly interactive (keyboard) session. </sales pitch> We also wrote a Nessus check, just for completeness. Ron Gula, CTO Tenable Network Security _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Hydrogen hundred dollar challenge Dave Aitel (Apr 11)
- Re: The Hydrogen hundred dollar challenge Brian (Apr 12)
- Re: The Hydrogen hundred dollar challenge Dave Aitel (Apr 12)
- Re: The Hydrogen hundred dollar challenge Neil (Apr 12)
- Re: The Hydrogen hundred dollar challenge Jason (Apr 12)
- Re: The Hydrogen hundred dollar challenge Dave Aitel (Apr 12)
- Re: The Hydrogen hundred dollar challenge Brian (Apr 12)
- <Possible follow-ups>
- Re: The Hydrogen hundred dollar challenge Ron Gula (Apr 14)