IDS Focus at insecure.org

Re: DNS Cache Poisoning attack

mario@NOSPAMblupenguin.com (Mario A. Spinthiras) — Fri, 18 Jul 2008 09:40:19 +0300

>From the dsniff package use dnsspoof. A combination of MITM and dnsspoof will give you the required PoC result. -- Warm Regards, Mario A. Spinthiras Blog: Mail: mspinthirasatgmail.com Skype: smario125 Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it ...

Re: Re: Remote File include (RFI) vulnerabilities

aditya.mukadam@NOSPAMgmail.com (aditya.mukadam_at_gmail.com) — Thu, 17 Jul 2008 16:06:17 -0600

It all depends on company's policies and procedure , on which traffic to monitor. Ideally, we should be monitoring incoming & outgoing traffic. This is not only true for RFI but for other signatures/exploits/ etc as well. T Thanks, Aditya Govind Mukadam Test Your IDS ...

NSS Labs Conducting 10 Gbps IPS Group Test

rmoy@NOSPAMnsslabs.com (rmoy_at_nsslabs.com) — 18 Jul 2008 22:49:18 -0000

IPS users, we at NSS Labs are conducting a 10Gbps IPS group test. True 10Gbps appliances and stacked & switched solutions are being evaluated. The IPS test criteria is posted here: ...

Re: DNS Cache Poisoning attack

securescorp@NOSPAMgmail.com (Secure Scorp) — Mon, 21 Jul 2008 08:50:59 +0530

Most of the vendors have released patches/upgrades for the DNS Cache Poisoning attack.So the best approach is to patch/upgrade the vulnerable devices. Thanks, Aditya Govind Mukadam On Fri, Jul 18, 2008 at 7:14 AM, Michael Rash wrote: ...

Re: DNS Cache Poisoning attack

mbr@NOSPAMcipherdyne.org (Michael Rash) — Thu, 17 Jul 2008 21:44:53 -0400

In addition to detection, how about prevention? There is a an easy way to thwart the attack (most likely) for those DNS servers that are deployed on (or behind) either Linux or OpenBSD without patching the DNS server (which is preferrable of course, but not everyone can): --Mike ...

Re: DNS Cache Poisoning attack

joel.esler@NOSPAMmac.com (Joel Esler) — Thu, 17 Jul 2008 11:15:47 -0400

There are Shared Object rules available for the DNS Cache Poisoning attack that are VRT certified available via subscription at www.snort.org . J On Jul 16, 2008, at 10:38 PM, Ravi Chunduru wrote: > Does anybody have snort or Intrupro-IPS signature(s) to detect DNS ...

Re: Remote File include (RFI) vulnerabilities

jamie.riden@NOSPAMgmail.com (Jamie Riden) — Thu, 17 Jul 2008 07:03:08 +0100

2008/7/16 Ravi Chunduru : > Hi, > > I am using IntruPro-IPS to protect both servers and clients. It seems > to be flagging RFI related anomalies for traffic going from internal > clients to servers in Internet. I thought these attacks need to be ...

DNS Cache Poisoning attack

ravi.is.chunduru@NOSPAMgmail.com (Ravi Chunduru) — Wed, 16 Jul 2008 19:38:12 -0700

Does anybody have snort or Intrupro-IPS signature(s) to detect DNS Cache Poisoning attack? Also, is there any PoC to simulate the attack and test the effectiveness of signature(s)? thanks Ravi Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it ...

Remote File include (RFI) vulnerabilities

ravi.is.chunduru@NOSPAMgmail.com (Ravi Chunduru) — Wed, 16 Jul 2008 12:05:54 -0700

Hi, I am using IntruPro-IPS to protect both servers and clients. It seems to be flagging RFI related anomalies for traffic going from internal clients to servers in Internet. I thought these attacks need to be detected only if the internal servers are being attacked. That is, I ...

RE: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

srao@NOSPAMintoto.com (Srinivasa Addepalli) — Fri, 11 Jul 2008 11:52:48 -0700

I was referring to checking version on the packets coming from internal PPTP server. PPTP protocol, as I understand, defines fields for vendor specific string and firmware version. I am not sure whether or not CISCO fills up ...

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

securescorp@NOSPAMgmail.com (Secure Scorp) — Wed, 9 Jul 2008 08:54:40 +0530

( Appending my earlier email to this thread for ref.) Srini, An attacker would not need to craft or have mention of (the vulnerable Cisco IOS code) 'version 12.3' into the PPTP packet. Also, if there is non-Cisco deployment for PPTP, you don't even have to worry about ...

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

srao@NOSPAMintoto.com (Srinivasa Addepalli) — Mon, 7 Jul 2008 09:09:49 -0700

You are right that these kinds of DoS attacks are difficult to detect at Network IDS/IPS level due to the problems you mentioned - false positives and false negatives. I suggest that you consider "version" of cisco routers in your rules ...

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

securescorp@NOSPAMgmail.com (Secure Scorp) — Sat, 5 Jul 2008 13:19:31 +0530

This vulnerablity as described by Cisco occurs when the PPTP session is terminated. Please note it states 'terminated'. If terminates means log off then it means that a legitimate active connective has logged off etc. For this vulnerablity to be exploited the user should be a ...

Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

ravi.is.chunduru@NOSPAMgmail.com (Ravi Chunduru) — Fri, 4 Jul 2008 09:03:59 -0700

Please see these links for more information on vulnerability: According to this vulnerability report, PPTP process in CISCO routers leak memory upon every PPTP termination. Eventually memory is used up and no other PPTP connections are entertained. How does one go about writing signatures for detecting exploits ...

Re: TippingPoint Recommended Disabled Filters

securescorp@NOSPAMgmail.com (Secure Scorp) — Thu, 3 Jul 2008 08:48:43 +0530

The Tipping Point IPS out-of-the-box configuration recognizes and blocks malicious traffic that is known to be malicious at all times, under all conditions, in all network environments.From a Security Standpoint, a default Configured IPS is configured as follows: �There is a single Default Security Policy � All Filters in this ...