Re: Cisco IOS Shellcode - McAfee IPS Protection

[Ron Gula <rgula () tenablesecurity com>]

At 06:25 PM 8/4/2005, Joel Esler wrote:

> How can they have "0-day" if ISS (makers of RealSecure and proventia
> IDS) announced the vuln?  Wouldn't that lead us to believe that ISS
> had it first?

It depends on what they are detecting and/or blocking. For example,
we added rules to look for un-encrypted Cisco command shells in
our NeVO product. We have similar rules for UNIX and Windows shell
detection which is trivial to evade, but extremely effective in the
wild.

Since the IDS/IPS guys are more on the detect/prevent side, I
would expect them to focus on stuff like instruction sets for the
CPUs used in various Cisco products and anomalies in protocols
used by routers/switches like RIP, tftp, SNMP, .etc. Many of these
concepts (like blocking protocol anomalies in SNMP) have been in
IPS products for several years already.

> Beyond that, it's been a week, I am sure that all the major IDS
> venders have it.

I think most of them are relying on existing technology. For example,
a quick check of snort.org and bleedingsnort.org didn't have any new
cisco-specific rules, yet there are signatures to detect various Cisco
attacks already.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------