Jason wrote:
Dave Aitel wrote:
Although, keep in mind, Snort completely fails the CRI test, and does
horrible TCP reassembly, let alone SMB or MSRPC reassembly. It just
isn't up to the job of detecting an attacker who's gone to some work
to bypass this sort of thing.
This statement is misleading and implies that there are systems that do
better and can stand up to the same assault. A better statement might
be, there is no IDS/IPS up to the job of detecting the attacker who's
gone to some work to bypass it.
I would agree, if I had spent some time with Snort/NFR/ISS/etc ahead of
time, and gone through the work of modeling them to see what they miss.
However, I didn't do that. I simply implemented some realistic parts of
the SMB/MSRPC protocol, and made a little slidey bar to help control it.
There are systems that DO stand up better to these minor changes, and
those systems are currently known to be: NFR and ISS. This is because
those companies have teams that sit around implementing hard protocols
like MSRPC and making sure they cover those bases and they've had these
teams for 5 years.
The reality is that every IDS has evasion potentials and if you are able
to control the environment enough that you can influence the view of the
network then you can win, as simple as that.
Yes, but for a lot of Snort rules, you can split your tcp packets into 1
byte sends (i.e. userspace, not fragrouter) and evade them completely.
This means if you build an NIPS on top of the Snort engine, it is
literally trivial to evade. I'm not talking about "advanced attacks"
here. "Advanced attacks" tend to fail in the wild. I'm talking more
about basic competance.
Lets put it out there for consideration.
- All major IDS players fail in the MSRPC space when challenged with a
capable attacker.
Not actually proven true. At least two survived the first round. Then
again, I'm not that capable an attacker. I wasn't trying to emulate
anything complex with the CRI.
- No IDS can handle proper TCP state tracking when confronted with a
capable attacker. If you are not constrained by 5 hops between you and
the endpoint with at least one of those endpoints being a system
charged with noise elimination ( Checkpoint, PIX, iptables, screen
router... ) you can own any state machine.
TCP state tracking is hard to evade too. I have to actually do work,
maybe even learn how to install fragrouter. The evasions implemented in
the CRI are much easier to do and much more effective. I'm not messing
with a state machine. I'm just using standard protocols. You can a third
of the CRI test on any machine by setting your MTU small enough. That'll
completely bypass any snort-like system with one command line call to
ifconfig.
Moving beyond the detection space. Active technologies suffer from the
same shortcomings in that they must make compromises to achieve a
larger goal. IIRC Canvas will report success on an Win32 Apache
Chunked encoding attack against a FreeBSD Apache server, for example.
Hahaha. Yeah. Although it's likely to have just checked for port 80 to
be open. CANVAS is not Nessus. Now if it pulls a shell back, then we
have problems! :>
The moral of the story is that you have decisions to make and with
open source you at least have an opportunity to make a difference.
With all of the systems that compete with Snort you have no
opportunity to make a difference unless you have a few million dollars
and staff capable of isolating a problem. I can tell you from
experience that everyone that I compete with cannot stand up to
controlled environments and advanced evasion tactics.
I guess the interesting thing is that you actually bought something for
your millions of dollars. Or perhaps it's a look into the Speed vs.
Accuracy trade off. Lots of other people have spent millions of dollars
on professional engines, but still fail the simple tests like this
because all nss.co.uk is testing for is extremely old attacks and
whether an IDS can take the load of millions of packets at once. This is
going to favor Snort-like systems largely at the expense of parsing
engines. I think it's telling that nss doesn't test MSRPC at all. It's
funny how the IDS industry has tuned itself. But set your MTU low
enough, and you can bypass some systems even if you're the only packets
on the wire. Doing SMB fragmentation basically guarantees it.
If you're looking for a misleading test, the NSS.CO.UK tests are what
you want. They're not open tests. They're outdated. They largely test
for things you don't care about, such as pushing packets down a wire. No
scientific test should be non-repeatable, and no scientific test should
require such large amounts of money to change hands.
What the CRI says is this: If what you're trying to detect is worms,
then you're perfectly fine with a Snort-like system. If you're trying to
detect attackers, you need to purchase a system from someone who spent
some cash on the problem. This is a somewhat surprising conclusion for
most people, such as yourself, I guess, since you feel that Snort does
the job.
Dave Aitel
VP R&D
Immunity, Inc.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
