Network Security: Detailed info on RE: File-format based vulns

Subject:	RE: File-format based vulns - How do vendors detect them?
Date:	Thu, 10 Nov 2005 22:23:36 -0500

Hi Joshua,

Disclosure: as per my email address, I work for NFR Security.

File format vulnerabilities are not new;  they've been out for well over a
year.  At NFR, we have a module (package) called "badfiles", oddly enough.
It actually does byte level analysis.  Here's a snippet from the comments in
badfiles source code from the developer:

#it collects file transmission bytestreams from compatible network 
#protocol state machines and performs quick decoding on file formats that
#have been used as exploit transmission vectors, thus treating the file
#format itself as a network data protocol....  

"compatible network protocol state machines" include SMTP, IRC, HTTP & FTP.

Regarding your question regarding resource consumption:  Yes, doing this
type of intensive file scanning absolutely takes resources.  Doing these
types of checks is _very_ CPU intensive.  Our 4Gbps product actually has 17
CPU's in it because it's the only way to actually keep up with this type of
stuff at these line speeds.  Everybody wants everything in one box, and the
only way to do it is to throw horsepower at it.  We could probably do 10Gbps
if people would take the 4Gbps product and just buy two, and on one box,
only run badfiles stuff (essentially anti-virus), and on the other box, run
the normal IPS/IDS stuff!

Hope this answers your questions appropriately.  If you need more details,
lemme know,

-dave



-----Original Message-----
From: Joshua Russel [mailto:joshua.russel@gmail.com] 
Sent: Wednesday, November 09, 2005 8:34 AM
To: focus-ids@securityfocus.com
Subject: File-format based vulns - How do vendors detect them?

Hi,

After the recent announcement of file-format based vulnerabilities in MS
Patch Tuesday, I was wondering how do IPS/IDS vendors claim to protect
against them (most of them like TippingPoint claim to do so).
Do they scan data transfer streams (SMTP, FTP, HTTP etc) for these malicious
files or is it a local check? If they do detect it on the network doesn't it
screw up their device due to high chance of false positives and high
resource consumption.

--Joshua

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
File-format based vulns - How do vendors detect them?, Joshua Russel RE: File-format based vulns - How do vendors detect them?, David Goodrum <= RE: File-format based vulns - How do vendors detect them?, Palmer, Paul (ISSAtlanta)

Previous by Date:	RE: Intrusion Prevention requirements document, Chris Ralph
Next by Date:	Experience security-information-management, klaus . dombrofsky
Previous by Thread:	File-format based vulns - How do vendors detect them?, Joshua Russel
Next by Thread:	RE: File-format based vulns - How do vendors detect them?, Palmer, Paul (ISSAtlanta)
Indexes:	[Date] [Thread] [Top] [All Lists]

RE: File-format based vulns - How do vendors detect them?