Re: Testing the quickness of signature writers

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(aka why client side vulnerabilities are impossible to catch with a
network sniffer)

I see the VRT signatures say they can catch RDS.Datastore - it's
always possible it works since I don't have a copy of them myself.
It's always possible it doesn't work though, cause in my mind here's
what you need to do to catch BABYBOTTLE. I'm not specialized in IDS
stuff though, so it's possible I'm going down the wrong rope here:

NIDS:
1. You need to have a robust parser for HTTP and maintain state for a
pseudo-client
2. You have to uncompress and un-chunk the HTTP traffic itself
3. You have to have a javascript and vbscript (and C# script, etc)
emulator. You have to then sit around emulating every page and
checking it for vulnerabilities - by emulating "hooks" or Regular
Expression Madness or whatever. God forbid my attack uses AJAX...

N/HIDS1:
 o you can rely on anomoly detection on network traffic or function
calls or whatever

HIDS2:
o you can have a HIDS that hooks the function or some function nearby

So does it work? I dunno. I don't own or run any NIDS so I'll have to
rely on the thousand other people on the list with CANVAS and their
NIDS to ./ and tell us.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEV6mSB8JNm+PA+iURApidAKCPv52njBEcZMkORprLpgJd8uezBgCfVLTm
PpL6go74SOA16ro/wRM1kiI=
=BrRB
-----END PGP SIGNATURE-----