[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
From: nirvana <karmic_nirvana () yahoo ! com>
Date: 2006-09-29 4:43:05
Message-ID: 20060929044305.94822.qmail () web52311 ! mail ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Sanjay,
It's not that bad as it sounds. This whole discussion was in the context of client-side \
scripting attacks and how commercial IPS/IDS solutions tackle them (and I am talking about the \
best-of-the-breed here, not confined to India). I wanted to show some disbelief on the fact as \
to how the network-style vendors declare that they cover vulnerabilities like the recent VML \
one. In actuality, the solutions are very, very exploit-facing. But they become slightly \
effective with real-time exploit updation. IPS are not meant to fix these kind of \
vulnerabilites, is the point I am rhetorically stressing on.
>I have heard ( I am not sure whether it is really true) that few products (I
> don't even know the name!!) are simply dependent on open sources
> like Snort or bleeding snort or nessus!!!!) for signatures.
Well, let's not count those here. My focus was on the popular vendors which have good \
capabilities to protect against network attacks.
>To overcome this (pathetic) situation, the solution, being suggested by
> Pukhraj makes sense i.e. collect as much exploits as possible and
> then try to analyze them and write signature. Here I want to add one
> thing that once we have a number of exploits, we should, at least
> now, try to understand the vulnerability based on the information
> present in all the exploits and try to come out with a common
> signature (or a common set of signatures).
As an IPS developer in the past, my aim was to perfectly decode the network traffic, \
normalize the malicious elements and provide generic vulnerability-facing solutions. It did \
happen in most cases with exceptions like scripting attacks, obscure propriety binary protocols \
etc. Perfect decoding and hence vulnerability facing solutions are viable in almost all cases. \
SanjayR <sanjayr@intoto.com> wrote:
Hi Aviv/Pukhraj & others:
As a security professional and researchers, our aim is to provide
more in-depth information on intrusion (security) aspects, for
example, some virus out-break, new windows vulnerability etc. Aviv is
right by saying that signatures should match the vulnerability, not
the exploits. Signature writing is a very responsible task and, of
course, technical too. But unfortunately, there are not many people,
who have required knowledge ( i m talking in context to india). but
companies need people with the requirement of writing signatures. So,
in this process, so called security professional start looking at
exploits and write signatures (just to mention, I have seen few snort
signatures that match "Shellcode part"!!!) . As Pukharaj mentioned
that there are not many variants found in the wild, such signatures
work and company and hired-security-professionals are happy. I have
heard ( I am not sure whether it is really true) that few products (I
don't even know the name!!) are simply dependent on open sources
(like Snort or bleeding snort or nessus!!!!) for signatures. To
overcome this (pathetic) situation, the solution, being suggested by
Pukhraj makes sense i.e. collect as much exploits as possible and
then try to analyze them and write signature. Here I want to add one
thing that once we have a number of exploits, we should, at least
now, try to understand the vulnerability based on the information
present in all the exploits and try to come out with a common
signature (or a common set of signatures).
regards
-Sanjay
At 11:07 AM 9/28/2006, Pukhraj Singh wrote:
> And you tell me how many of these variants you will actually find in
> the wild. Won't be a significant number I bet.
>
> Cheers!
> Pukhraj
>
> On 9/27/06, avivra wrote:
> > Hi,
> >
> > > i.e. I can't afford to buy "specialized" security tools/devices for
> > > "speclialized" attacks unless my company relies heavily on web/content
> > > services.
> >
> > So, you will buy "specialized" security tools like firewall or
> > Anti-Virus, but not web content filtering tool?
> >
> > > In our company, we established a information-sharing
> > > network with other security companies. So the real-time exploit-facing
> > > signatures were then subjected to live traffic, honeypots and countless
> > > variants; They seemed to work out pretty well.
> >
> > I would like to see how your real-time signatures get updated with the
> > randomization implemented in the new VML metasploit module. Your
> > "countless" exploit variants will become really innumerable.
> >
> > The problem is that the signatures are written for the exploit, and
> > not for the vulnerability.
> >
> > -- Aviv.
>
Sanjay Rawat
Security Research Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 424
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
Computer Security: A little delay to break into your network.
-- DSR
---------------------------------
Want to be your own boss? Learn how on Yahoo! Small Business.
[Attachment #5 (text/html)]
<DIV>Sanjay,</DIV> <DIV> </DIV> <DIV>It's not that bad as it sounds. This whole \
discussion was in the context of client-side scripting attacks and how commercial IPS/IDS \
solutions tackle them (and I am talking about the best-of-the-breed here, not confined to \
India). I wanted to show some disbelief on the fact as to how the network-style \
vendors declare that they cover vulnerabilities like the recent VML one. In actuality, \
the solutions are very, very exploit-facing. But they become slightly effective with real-time \
exploit updation. IPS are not meant to fix these kind of vulnerabilites, is the point I am \
rhetorically stressing on.</DIV> <DIV> </DIV> <DIV>>I have heard ( I am not sure \
whether it is really true) that few products (I <BR>> don't even know the name!!) are simply \
dependent on open sources <BR>>like Snort or bleeding snort or nessus!!!!) for \
signatures.</DIV> <DIV> </DIV> <DIV>Well, let's not count those here. My focus was on \
the popular vendors which have good capabilities to protect against network attacks.</DIV> \
<DIV> </DIV> <DIV>>To overcome this (pathetic) situation, the solution, being \
suggested by <BR>>Pukhraj makes sense i.e. collect as much exploits as possible and \
<BR>>then try to analyze them and write signature. Here I want to add one <BR>>thing that \
once we have a number of exploits, we should, at least <BR>>now, try to understand the \
vulnerability based on the information <BR>>present in all the exploits and try to come out \
with a common <BR>>signature (or a common set of signatures).</DIV> <DIV> </DIV> \
<DIV>As an IPS developer in the past, my aim was to perfectly decode the \
network traffic, normalize the malicious elements and provide generic \
vulnerability-facing solutions. It did happen in most cases with exceptions like scripting \
attacks, obscure propriety binary protocols etc. Perfect decoding and hence vulnerability \
facing solutions are viable in almost all cases.</DIV> <DIV><BR> <BR><B><I>SanjayR \
<sanjayr@intoto.com></I></B> wrote:</DIV> <BLOCKQUOTE class=replbq style="PADDING-LEFT: \
5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Hi Aviv/Pukhraj & others:<BR>As a \
security professional and researchers, our aim is to provide <BR>more in-depth information on \
intrusion (security) aspects, for <BR>example, some virus out-break, new windows vulnerability \
etc. Aviv is <BR>right by saying that signatures should match the vulnerability, not <BR>the \
exploits. Signature writing is a very responsible task and, of <BR>course, technical too. But \
unfortunately, there are not many people, <BR>who have required knowledge ( i m talking in \
context to india). but <BR>companies need people with the requirement of writing signatures. \
So, <BR>in this process, so called security professional start looking at <BR>exploits and \
write signatures (just to mention, I have seen few snort <BR>signatures that match "Shellcode \
part"!!!) . As Pukharaj mentioned <BR>that there are not many variants found in the wild, such \
signatures <BR>work and company and hired-security-professionals are happy. I have <BR>heard ( \
I am not sure whether it is really true) that few products (I <BR>don't even know the name!!) \
are simply dependent on open sources <BR>(like Snort or bleeding snort or nessus!!!!) for \
signatures. To <BR>overcome this (pathetic) situation, the solution, being suggested by \
<BR>Pukhraj makes sense i.e. collect as much exploits as possible and <BR>then try to analyze \
them and write signature. Here I want to add one <BR>thing that once we have a number of \
exploits, we should, at least <BR>now, try to understand the vulnerability based on the \
information <BR>present in all the exploits and try to come out with a common <BR>signature (or \
a common set of signatures).<BR><BR>regards<BR>-Sanjay<BR><BR>At 11:07 AM 9/28/2006, Pukhraj \
Singh wrote:<BR>>And you tell me how many of these variants you will actually find \
in<BR>>the wild. Won't be a significant number I \
bet.<BR>><BR>>Cheers!<BR>>Pukhraj<BR>><BR>>On 9/27/06, avivra \
<AVIVRA@GMAIL.COM>wrote:<BR>>>Hi,<BR>>><BR>>> > i.e. I can't afford to buy \
"specialized" security tools/devices for<BR>>> > "speclialized" attacks unless my \
company relies heavily on web/content<BR>>> > services.<BR>>><BR>>>So, you \
will buy "specialized" security tools like firewall or<BR>>>Anti-Virus, but not web \
content filtering tool?<BR>>><BR>>> > In our company, we established a \
information-sharing<BR>>> > network with other security companies. So the real-time \
exploit-facing<BR>>> > signatures were then subjected to live traffic, honeypots and \
countless<BR>>> > variants; They seemed to work out pretty \
well.<BR>>><BR>>>I would like to see how your real-time signatures get updated \
with the<BR>>>randomization implemented in the new VML metasploit module. \
Your<BR>>>"countless" exploit variants will become really \
innumerable.<BR>>><BR>>>The problem is that the signatures are written for the \
exploit, and<BR>>>not for the vulnerability.<BR>>><BR>>>-- \
Aviv.<BR>><BR><BR>Sanjay Rawat<BR>Security Research Engineer<BR>INTOTO Software (India) \
Private Limited<BR>Uma Plaza, Nagarjuna Hills<BR>PunjaGutta,Hyderabad 500082 | India<BR>Office: \
+ 91 40 23358927/28 Extn 424<BR>Website : www.intoto.com<BR>Homepage: \
http://sanjay-rawat.tripod.com<BR>Computer Security: A little delay to break into your \
network.<BR>-- DSR<BR><BR><BR><BR><BR></BLOCKQUOTE><BR><p> 
<hr size=1>Want to be your own boss? Learn how on <a \
href="http://us.rd.yahoo.com/evt=41244/*http://smallbusiness.yahoo.com/r-index"> Yahoo! Small \
Business.</a>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic