I saw a post from RSnake at ha.ckers.org titled IDS Evasion. It’s one of the blogs I really enjoy reading. This post talks about the recent vulnerability in Blojsom. A security researcher submitted a Snort signature to detect someone trying to exploit the vulnerability. The sig had at least one major issue that needs to be addressed. After ripping apart the sig RSnake goes on to say
“This is exactly why I think network security is a dying creature. Sure, you still need it, but it’s completely commoditized and easy to circumvent now. It feels like 1998 all over again today. Rain Forrest Puppy proved most of the IDSs out there could be evaded, but the signatures themselves are just as easy to evade”
Wow. That’s a bit harsh to equate one bad Snort sig to the state of network security. It’s especially harsh when it’s a sig written by an individual and not by people who do that for a living, like Asurent or commercial IPS vendors. I don’t see network security as a dying creature. I see a blurring of the lines between network and host security. NAC is a good example and to a lesser extent SIEM technologies. It definitely doesn’t feel like 1998 to me. RFP proved that most IDS of the day could be evaded but a lot has changed since then. If you have a commercial IDS / IPS that gets tripped up by tools like Whisker on a regular basis….you have issues my friend. Detection and prevention technologies have advanced in an attempt to meet the challenges. Are they perfect? No. Will the best IPS on the market have both false positives and negatives? Yes. When I start seeing many new versions of libwhisker like tools and more ground breaking papers like Ptacek-Newsham’s, then I will be more concerned. It’s about defense in depth in my book and network security is a large part of that. That is until developers start writing perfect code, administrators stop making configuration mistakes and users stop being….well…users.
This quote makes me think it has been a while since he had much interaction with commercial IPS products.
“Detection will always be a part of prevention, but regex just isn’t cutting it when you are talking about states that go well beyond the state of a packet or even a TCP/IP session.”
Even open source Snort can handle stateful re-assembly with it’s Stream preprocessors. Some commercial vendors claim to be able to handle over 150,000 sessions at once.
It’s an interesting point of view.
–Chris
Technorati Tags: IDS, IPS, Snort, Ha.ckers.org, evasion
September 15th, 2006 at 4:36 pm
Hi, Chris, there were a few comments made, that I should probably revise (and please forgive my blog, I don’t work in security anymore and I only have a few minutes to write it a day - or less - so some of my comments are rushed).
True, it’s one signature, but I challenge someone to write a rule in regex that could accurately identify all variations of that attack against that tool. I’ll bet you a buck you can’t do it. And no cheating by disallowing everything. It gets exponentially more complex with variations.
When I was saying 1998, I meant only that it was twice in a day that I mentioned Rain Forrest Puppy on my blog, nothing more.
Stateful packet inspection is irrelevant to this conversation though. Sure it’s nice to know that they have a three way connection, but it has no basis in understanding the path of a user on a system. If I turn off my connection and connect through a different IP address the IPS, IDS and firewall are all useless, they have no idea it’s the same user.
IP based packet inspection is a nice tool, but against almost all the attacks I go into on my site, it’s next to useless. I think where it’s useful is where you have a signature that’s (more) difficult to modify, like a buffer overflow. Against a simply http request, how can you tell if it’s benign or not? That’s the real question.
I used to be a network security guy, but the more I reasearched it the more I felt like it was only tackling one problem. And as such it was hindering technology. And then the developers coded around it. That caused more holes (like the ones we are seeing today). In the end it’s almost completely broken. Yes, there are mitigating factors, but I’ve seen exactly 2 companies who’ve ever come close to protecting itself from the XSS JavaScript port scanner, and one of them has complete physical seperation of networks.
How can a IDS detect that? What about over SSL? You going to decrypt the traffic in real time (not of your website traffic, but of your own personal inbound outbound user’s HTTP traffic)? At a small company that’s doable, in huge companies, not so much, and it’s hard to justify costs. It’s possible, but it doesn’t tell you anything about authentication state (leading to possible CSRF) of users.
In the end we could debate it all day. It’s useful, but it’s certainly not going to do much against any of the attacks we are working on.
September 15th, 2006 at 7:06 pm
Hi RSnake,
Thanks for the comments! You are correct in that I am sure there are attacks that would be next to impossible to catch with regex, unless you wanted to block everything or incur a tsunami of false positives. No bet
I agree with you that the model is broken…no question. Secure coding practices and change control / management would go a long way in neutering these problems. I guess my position is that this type of technology is still useful as part of a larger strategy. As with anything it’s not the be-all end-all of security, despite what the vendors tell you.
Thanks again for the comments.
–Chris
September 15th, 2006 at 7:34 pm
Hey, Chris, smart move on not taking the bet. I thought a) he spends a week making regex to end all regex and I still find a hole or b) he spends a week making regex to end all regex, I can’t find a hole and I shirk on a bet. Either way smart move.
I completely agree… better coding practices would help a lot - if they were adopted by more people.
And again, I completely agree that it has network security has its use, it’s just that that use is becoming easier and easier to circumvent as more and more things get tunneled over port 80 and as more applications become HTTP enabled. I had a buddy who was contracted to port TCP/IP over HTTP. What’s the point in a firewall at that point? It’s completely circumvented the entire security model. What a pain! Anyway, that was my point, sorry if I wasn’t articulate. It’s been a rough last few weeks at work.