IDS mailing list archives
Re: IDS alerts / second - Correlation - Virtualization
From: Jason <security () brvenik com>
Date: Tue, 02 Aug 2005 13:19:02 -0400
Inline :-) re-ordered for your top down reading pleasure. >>> why not block traffic you're not supposed to
see? yes, block requests to /etc/passwd (and other naughty actions) across all ports from the outside world into your dmz. why wouldn't you?The simple answer is because this mail would have never reached us and likely will not reach many already. CAT /ETC/PASSWD is also a perfectly valid Unix command on some systems in all caps. Do you think that this mail can be processed and confidently assured to be safe?Ignoring the top posting habit,
what ever floats ur boat dood.
Yes. Mail bodies traditionally are not run through eval(), but pattern matched. Stuff sent to scripts through mail is a different beast, and in general, that code is well written.
Hrm. I'm pretty sure that attackers can comply with "traditionally" and yet still win. I also wouldn't agree that the scripts that handleautomation are generally well written. This entire industry is based on failures in the same assumptions you are making here.
I have never seen any situation where a mail body contained a script which would be run automatically on a Unix system. Plus, you can justuse a current scanner like amavisd-new to only allow valid commands to be sent to the script (per recipient specifications).
Just because you have not seen it does not mean it is not there. Reference any outlook vuln or the below sendmail vuln. http://www.securityfocus.com/bid/6991 http://www.securityfocus.com/archive/1/313757 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 01)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 03)
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 02)