Wednesday, December 13, 2006

Using IDS to monitor versions

This probably isn't a new idea per se, but I've started experimenting with using our network IDS to monitor patchlevels on certain applications. The "low hanging fruit" in my case happens to be Thunderbird, which advertises it's version number in every email sent by it in the User Agent field. So, I write a Snort rule to flag versions that are less that the one I want (currently, and generate an alert.

Wednesday, December 06, 2006

Social Engineering and IDS Evasion

This isn't IDS evasion in the truest sense, however, more of a social engineering trick that dawned on me that relates to IDS. This would only work in a small number of cases, but worth noting nonetheless.

I run a few Snort sensors, and like any "good IDS analyst" (tm), in addition to piping the packets through Snort, I also save the raw packet captures to disk. This is quite useful when trying to determine whether the alert is a false positive, giving the alert context, etc.

Now, as you can imagine, these files get large fast, and if I had to find three packets out of a 50GB packet capture, it would not be a quick endeavor. The typical solution is to rotate after a specified amount of time, and most docs give you examples rotating every 30 mins., depending on your average traffic, with a cron job.

Out of habit, most folks would use :00 and :30 as the times to rotate. Now, a clever individual might realize that this creates some opportunities:

- a brief period of time where packets aren't being captured (between shutdown and startup of the packet capture process)
- with proper timing of the attack, the packets would span 2 capture files. An analyst might not realize this, and thus not get the whole picture of the attack that generated the alert when plowing through raw packets.

The above opportunities could be used in combination with other tricks to further disguise an attack.

Some off the top of my head mitigations:
- run the cron job at unusual times (obscurity)
- create a script that randomizes the start/stop time (obscurity)
- start a new capture 1 min. before shutting down the old capture

Food for thought. Enjoy.