On Wed, Nov 15, 2006 at 04:22:19PM -0500, Joseph McCray wrote:
> Have any of you ever taken the time to develop a list signatures and
> their corresponding tools and/or exploits that actually trigger every
> individual signature the IDS has?
Joe, we did something similar for a client - we picked a single
exploit and performed a whole set of mangling and evasion tests with
it.
As a foundation, we used the ISAPI .printer exploit by eEye, which has
the very useful payload of writing a file on the target system. If
the file is there, you know the exploit worked.
To help us automate the correlation, we bound each individual test
case to a unique source port, and included the source port in the file
name. (Well, we used N for 9, because the exploit couldn't write a 9,
but you get the idea). So that way we knew that for a given suite of
tests, source port 30000 was test X.
Even if you can't do the rest of it, keying each test case to a source
port is an enormous help in correlation.
--
Sam Gorton | Skaion Corporation
sgorton@skaion.com | 978-251-3963
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
|