From: Sam Gorton (sgorton@skaion.com)
Date: Thu Nov 16 2006 - 14:51:51 EST
On Wed, Nov 15, 2006 at 04:22:19PM -0500, Joseph McCray wrote:
> Have any of you ever taken the time to develop a list signatures and
> their corresponding tools and/or exploits that actually trigger every
> individual signature the IDS has?
Joe, we did something similar for a client - we picked a single
exploit and performed a whole set of mangling and evasion tests with
it.
As a foundation, we used the ISAPI .printer exploit by eEye, which has
the very useful payload of writing a file on the target system. If
the file is there, you know the exploit worked.
To help us automate the correlation, we bound each individual test
case to a unique source port, and included the source port in the file
name. (Well, we used N for 9, because the exploit couldn't write a 9,
but you get the idea). So that way we knew that for a given suite of
tests, source port 30000 was test X.
Even if you can't do the rest of it, keying each test case to a source
port is an enormous help in correlation.
-- Sam Gorton | Skaion Corporation sgorton@skaion.com | 978-251-3963 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:20 EDT