The Network Security. Org

Network Intrusion Detection Signatures, Part Five

This is the fifth and final installment in a series of articles on understanding and developing signatures for network intrusion detection systems. In the previous article, we looked at the topic of protocol analysis, meaning that the intrusion detection system actually understands how various protocols, such as FTP, are supposed to work. We initially looked at protocol analysis as it applied to a single request or response. In this article, we will extend this discussion by looking closely at stateful protocol analysis, which involves performing protocol analysis for an entire connection or session, capturing and storing certain pieces of relevant data seen in the session, and using that data to identify attacks that involve multiple requests and responses.

Stateful Protocol Analysis

The concept of stateful protocol analysis is simple: to add stateful characteristics to regular protocol analysis. When we perform protocol analysis, we examine TCP and UDP payloads, which contain protocols such as DNS, FTP, HTTP and SMTP. IDS sensors that perform protocol analysis understand how each protocol is supposed to work, based on RFCs and on real-world implementations of these protocols. So the IDS sensor can detect many suspicious values within protocol application payloads. Protocol analysis signatures can also be designed to overcome attempts by attackers to obfuscate their exploits. For example, hex encoding can be used to slightly modify URLs so that they appear different to us but have the same meaning to Web servers. Microsoft IIS Web servers perform two hex decoding operations on URLs before processing them: an HTTP protocol analysis signature set looking for IIS attempts should also perform two hex decoding operations, so that it is examining the same URL that the IIS Web server would see. Network Intrusion Detection Signatures, Part Five

More News

• NetWitness releases free version of security software
  



• Three Reasons Why Users Won’t Buy Into Security
  



• Automated security testing & its limitations
  



• How to Use Network Behavior Analysis Tools
  



• The insider security threat in IT and financial services
  



• Top 10 Network Security Threats
  



• Big leap in malicious Web sites
  



• Network security makes a quantum leap
  



• Microsoft Preps 11 Security Bulletins for Patch Tuesday
  



• Practical Defense in Depth
  



• Apple releases another mega-patch for Mac OS X
  



• Security flaw in smart cards poses risk for transit, building access
  



• Free TrojanProof Password Tool Released for Windows
  



• Security scans with OpenVAS
  



• Do ISPs pose a bigger online privacy threat than Google
  



• HTTPS Cookie-Hijacking Tool CookieMonster Gobbles Personal Data
  



• Anatomy of a botnet
  



• Microsoft patches 8 critical bugs in Windows, Office
  



• Virtualization users should expect more attacks
  



• Threat From DNS Bug Is not Over, Experts Say