IDS mailing list archives

RE: File-format based vulns - How do vendors detect them?

From: "David Goodrum" <dgoodrum () nfr com>
Date: Thu, 10 Nov 2005 22:23:36 -0500

Hi Joshua,

Disclosure: as per my email address, I work for NFR Security.

File format vulnerabilities are not new;  they've been out for well over a
year.  At NFR, we have a module (package) called "badfiles", oddly enough.
It actually does byte level analysis.  Here's a snippet from the comments in
badfiles source code from the developer:

#it collects file transmission bytestreams from compatible network 
#protocol state machines and performs quick decoding on file formats that
#have been used as exploit transmission vectors, thus treating the file
#format itself as a network data protocol....  

"compatible network protocol state machines" include SMTP, IRC, HTTP & FTP.

Regarding your question regarding resource consumption:  Yes, doing this
type of intensive file scanning absolutely takes resources.  Doing these
types of checks is _very_ CPU intensive.  Our 4Gbps product actually has 17
CPU's in it because it's the only way to actually keep up with this type of
stuff at these line speeds.  Everybody wants everything in one box, and the
only way to do it is to throw horsepower at it.  We could probably do 10Gbps
if people would take the 4Gbps product and just buy two, and on one box,
only run badfiles stuff (essentially anti-virus), and on the other box, run
the normal IPS/IDS stuff!

Hope this answers your questions appropriately.  If you need more details,
lemme know,

-dave



-----Original Message-----
From: Joshua Russel [mailto:joshua.russel () gmail com] 
Sent: Wednesday, November 09, 2005 8:34 AM
To: focus-ids () securityfocus com
Subject: File-format based vulns - How do vendors detect them?

Hi,

After the recent announcement of file-format based vulnerabilities in MS
Patch Tuesday, I was wondering how do IPS/IDS vendors claim to protect
against them (most of them like TippingPoint claim to do so).
Do they scan data transfer streams (SMTP, FTP, HTTP etc) for these malicious
files or is it a local check? If they do detect it on the network doesn't it
screw up their device due to high chance of false positives and high
resource consumption.

--Joshua

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

File-format based vulns - How do vendors detect them? Joshua Russel (Nov 09)
- RE: File-format based vulns - How do vendors detect them? David Goodrum (Nov 14)
- <Possible follow-ups>
- RE: File-format based vulns - How do vendors detect them? Palmer, Paul (ISSAtlanta) (Nov 16)