Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Packet/Protocol Anomaly Detection with IDS

from [hibano haleluya] Network Security [Permanent Link]
Subject: Re: Packet/Protocol Anomaly Detection with IDS
Date: Wed, 25 May 2005 05:01:39 +0000 
Hi,

I juz wanna add some info.

Normally all standard services are already defined in RFC.

But sometimes, these services alway be attacked from intruders by using weak points of applications by using un-standard packet which defined by RFC.

Such as packet range in DNS query, or any packets which are included abnormal flag bits. If some applications get any abnormal input like these, they will be attacked.

Good IDS & IDP must capture non-standard packets for checking and preventing.


PS. May not be best describe, apologize me in advance. :))

regards,

Hibano



From: Joachim Schipper <j.schipper@math.uu.nl>
To: focus-ids@securityfocus.com
Subject: Re: Packet/Protocol Anomaly Detection with IDS
Date: Fri, 20 May 2005 17:40:49 +0200
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([205.206.231.26]) by mc10-f42.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 24 May 2005 16:58:33 -0700
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mc10.bay6.hotmail.com [65.54.166.230]) with ESMTP; Tue, 24 May 2005 16:58:33 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 957F2144DA3; Tue, 24 May 2005 17:21:39 -0600 (MDT)
Received: (qmail 9634 invoked from network); 20 May 2005 16:12:25 -0000
X-Message-Info: 6sSXyD95QpXuwHD2WyQCQY3U/NWogCbP5cCNv2AASg8=
Mailing-List: contact focus-ids-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <focus-ids.list-id.securityfocus.com>
List-Post: <mailto:focus-ids@securityfocus.com>
List-Help: <mailto:focus-ids-help@securityfocus.com>
List-Unsubscribe: <mailto:focus-ids-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:focus-ids-subscribe@securityfocus.com>
Delivered-To: mailing list focus-ids@securityfocus.com
Delivered-To: moderator for focus-ids@securityfocus.com
Mail-Followup-To: focus-ids@securityfocus.com
References: <20050519205055.30251.qmail@www.securityfocus.com>
User-Agent: Mutt/1.4.2i
X-GnuPG-key: 3D6A8A5F, available at http://jschipper.dynalias.net/key
X-GnuPG-fingerprint: 23E2 60F6 28DE BC9F 3E5D 414D 39CA 2BF4 3D6A 8A5F
X-Spam-Checker-Version: SpamAssassin 3.0.0-r20550 (2004-05-28) on mail.securityfocus.com
X-Spam-Status: No, score=0.3 required=5.0 tests=AWL,FORGED_RCVD_HELO autolearn=failed version=3.0.0-r20550
X-Spam-Level: Return-Path: focus-ids-return-6096-hibano=hotmail.com@securityfocus.com
X-OriginalArrivalTime: 24 May 2005 23:58:33.0346 (UTC) FILETIME=[7DF82620:01C560BC]

On Thu, May 19, 2005 at 08:50:55PM -0000, Harald Frlinger wrote:
>
>
> Hi Community,
>
> im a student, and at the moment im searching
> for some input to write my exam.
>
> The title is "Packet/Protocol Anomaly Detection with IDS", i already got some good input.
> But some things are quiet hard to find.
>
> What i need is some examples on attacks,
> on specific protocols, like ftp, http, tcp ...
> I know there are attacks like Dos or Buffer Overflows.
> But i need some more.
>
> Maybe you can tell me some good ressources or
> examples.
>
> Thanks all, and sorry for my english.
>
>
> mfg
> harry

Hello Harry,

one thing I recently discovered was HTTP response splitting (known for
some time, but hey - I can't know everything). Quite interesting.

Some FTP implementations (wuftpd) react(ed) badly to LIST commands with
lots of wildcards, which allows an easy DoS.

Brute-forcing might be interesting too.

There are many others, but I'm just a student myself... ;-)

                Joachim
<< attach3 >>




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  New to Snort !!!, Venkatesh G S
Next by Date:  RE: IDS\IPS that can handle one Gig, Andrew Plato
Previous by Thread:  Re: Packet/Protocol Anomaly Detection with IDS, Joachim Schipper
Next by Thread:  IDS\IPS that can handle one Gig, Randall Jarrell
Indexes:  [Date] [Thread] [Top] [All Lists]