Re: interesting paper on testing sig-based IDS

[Jonathon Giffin <giffin () cs wisc edu>]

Kohlenberg, Toby wrote:
> http://www.cs.ucsb.edu/~vigna/pub/2004_vigna_robertson_balzarotti_CCS04.
> pdf

You may also be interested in Automatic Generation and Analysis of NIDS 
Attacks by Rubin, Jha, and Miller from ACSAC 2004.

http://www.cs.wisc.edu/wisa/papers/acsac04/RJM04.pdf

Abstract:

A common way to elude a signature-based NIDS is to transform an attack 
instance that the NIDS recognizes into another instance that it misses. 
For example, to avoid matching the attack payload to a NIDS signature, 
attackers split the payload into seversl TCP packets or hide it between 
benign messages. We observe that different attack instances can be 
derived from each other using simple transformations. We model these 
transformations as inference rules in a natural-deduction system. 
Starting from an exemplary attack instance, we use an inference engine 
to automatically generate all possible instances derived by a set of 
rules. The result is a simple yet powerful tool capable of both 
generating attack instances for NIDS testing and determining whether a 
given sequence of packets is an attack.

In several testing phases using different sets of rules, our tool 
exposed serious vulnerabilities in Snort--a widely deployed NIDS. 
Attackers acquainted with these vulnerabilities would have been able to 
construct instances that elude Snort for any TCP-based attack, any 
Web-CGI attack, and any attack whose signature is a certain type of 
regular expression.


Disclaimer: I am part of the same research group as the authors of this 
paper.

Thanks,

Jon

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------