The Network Security. Org

Network Intrusion Detection Signatures, Part Four

This is the fourth in a series of articles on understanding and developing signatures for network intrusion detection systems. In part one we discussed the basics of network IDS signatures and then took a closer look at signatures that focus on IP, TCP, UDP and ICMP header values. In the second installment we looked at some signature examples. In the previous article, we began to examine the topic of protocol analysis, which means that the intrusion detection system actually understands how various protocols, such as FTP, are supposed to work. In this article, we will continue to look at protocol analysis and how it can overcome attempts by attackers to obfuscate their exploits so that they cannot be detected by simple intrusion detection signature methods.

Protocol Analysis Review

Let?s quickly review what protocol analysis means. In protocol analysis, the network intrusion detection system (IDS) sensors examine TCP and UDP payloads, which contain other protocols such as DNS, FTP, HTTP and SMTP. The sensors understand how these protocols are supposed to work, based on RFCs and on real-world implementations of the protocols, and they can fully decode them. This allows a much larger range of signatures to be created than would be possible through simpler signature techniques. Some IDS sensors can only utilize ?packet grepping? signatures, which do character-by-character or byte-by-byte matches within a TCP or UDP payload. Although packet grepping signatures are useful for identifying certain types of attacks, they lack the flexibility to identify many types of attacks. In particular, packet grepping signatures are typically unable to handle the obfuscation techniques that attackers often use to attempt to evade detection by IDS sensors. Network Intrusion Detection Signatures, Part Four

More News

• Apple releases another mega-patch for Mac OS X
  



• Security flaw in smart cards poses risk for transit, building access
  



• Free TrojanProof Password Tool Released for Windows
  



• Security scans with OpenVAS
  



• Do ISPs pose a bigger online privacy threat than Google
  



• HTTPS Cookie-Hijacking Tool CookieMonster Gobbles Personal Data
  



• Anatomy of a botnet
  



• Microsoft patches 8 critical bugs in Windows, Office
  



• Virtualization users should expect more attacks
  



• Threat From DNS Bug Is not Over, Experts Say
  



• Website infection rate triples
  



• How to Use Honeypots to Improve Your Network Security
  



• Microsoft Patch Tuesday Targets 26 Application Flaws
  



• SSL VPNs might not be as secure as you think
  



• 8 tips to filter spam effectively
  



• Onus on IP address owner to prove innocence
  



• How to install an SSH Server in Windows Server 2008.
  



• Several vulnerabilities closed in the Linux kernel
  



• 8 Best Practices for Encryption Key Management and Data Security
  



• Free Honeypot Client Could Sting Malware