Re: IDS alerts / second - Correlation - Virtualization

[Jason <security () brvenik com>]

Inline :-)

re-ordered for your top down reading pleasure.

>>> why not block traffic you're not supposed to
> > > see? yes, block requests to /etc/passwd (and other naughty
> > > actions) across all ports from the outside world into your dmz.
> > > why wouldn't you?
> >
> > The simple answer is because this mail would have never reached us
> > and likely will not reach many already.
> >
> >
> > CAT /ETC/PASSWD is also a perfectly valid Unix command on some
> > systems in all caps.
> >
> > Do you think that this mail can be processed and confidently
> > assured to be safe?
>
> Ignoring the top posting habit,

what ever floats ur boat dood.

> Yes. Mail bodies traditionally are not run through eval(), but
> pattern matched. Stuff sent to scripts through mail is a different
> beast, and in general, that code is well written.

Hrm. I'm pretty sure that attackers can comply with "traditionally"
and yet still win. I also wouldn't agree that the scripts that handle
automation are generally well written. This entire industry is based on 
failures in the same assumptions you are making here.

> I have never seen any situation where a mail body contained a script 
> which would be run automatically on a Unix system. Plus, you can just
>  use a current scanner like amavisd-new to only allow valid commands
> to be sent to the script (per recipient specifications).

Just because you have not seen it does not mean it is not there.
Reference any outlook vuln or the below sendmail vuln.

http://www.securityfocus.com/bid/6991
http://www.securityfocus.com/archive/1/313757

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------