IDS Focus (focus-ids) Mailing List

Re: DNS Cache Poisoning attack

Fri, 18 Jul 2008 09:40:19 +0300

Posted by Mario A. Spinthiras on Jul 18

>From the dsniff package use dnsspoof. A combination of MITM and
dnsspoof will give you the required PoC result.

Re: Re: Remote File include (RFI) vulnerabilities

Thu, 17 Jul 2008 16:06:17 -0600

Posted by aditya.mukadam_at_gmail.com on Jul 17

('binary' encoding is not supported, stored as-is) It all depends on company's policies and procedure , on which traffic to monitor. Ideally, we should be monitoring incoming & outgoing traffic. This is not only true for RFI but for other signatures/exploits/ etc as well. T

Thanks,
Aditya...

NSS Labs Conducting 10 Gbps IPS Group Test

18 Jul 2008 22:49:18 -0000

Posted by rmoy_at_nsslabs.com on Jul 18

('binary' encoding is not supported, stored as-is) IPS users, we at NSS Labs are conducting a 10Gbps IPS group test. True 10Gbps appliances and stacked & switched solutions are being evaluated.

The IPS test criteria is posted here:
http://nsslabs.com/certification-criteria/ips

We are...

Re: DNS Cache Poisoning attack

Mon, 21 Jul 2008 08:50:59 +0530

Posted by Secure Scorp on Jul 21

Most of the vendors have released patches/upgrades for the DNS Cache
Poisoning attack.So the best approach is to patch/upgrade the
vulnerable devices.

Thanks,
Aditya Govind Mukadam

On Fri, Jul 18, 2008 at 7:14 AM, Michael Rash <mbr_at_cipherdyne.org> wrote:
> In addition to...

Re: DNS Cache Poisoning attack

Thu, 17 Jul 2008 21:44:53 -0400

Posted by Michael Rash on Jul 17

In addition to detection, how about prevention? There is a an easy way
to thwart the attack (most likely) for those DNS servers that are deployed
on (or behind) either Linux or OpenBSD without patching the DNS server
(which is preferrable of course, but not everyone can):

...

Re: DNS Cache Poisoning attack

Thu, 17 Jul 2008 11:15:47 -0400

Posted by Joel Esler on Jul 17

There are Shared Object rules available for the DNS Cache Poisoning
attack that are VRT certified available via subscription at www.snort.org
.

On Jul 16, 2008, at 10:38 PM, Ravi Chunduru wrote:

> Does anybody have snort or Intrupro-IPS signature(s) to detect DNS
> Cache...

Re: Remote File include (RFI) vulnerabilities

Thu, 17 Jul 2008 07:03:08 +0100

Posted by Jamie Riden on Jul 17

2008/7/16 Ravi Chunduru <ravi.is.chunduru_at_gmail.com>:
> Hi,
>
> I am using IntruPro-IPS to protect both servers and clients. It seems
> to be flagging RFI related anomalies for traffic going from internal
> clients to servers in Internet. I thought these...

DNS Cache Poisoning attack

Wed, 16 Jul 2008 19:38:12 -0700

Posted by Ravi Chunduru on Jul 16

Does anybody have snort or Intrupro-IPS signature(s) to detect DNS
Cache Poisoning attack?
Also, is there any PoC to simulate the attack and test the
effectiveness of signature(s)?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your...

Remote File include (RFI) vulnerabilities

Wed, 16 Jul 2008 12:05:54 -0700

Posted by Ravi Chunduru on Jul 16

Hi,

I am using IntruPro-IPS to protect both servers and clients. It seems
to be flagging RFI related anomalies for traffic going from internal
clients to servers in Internet. I thought these attacks need to be
detected only if the internal servers are being attacked. That is, I
think...

RE: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

Fri, 11 Jul 2008 11:52:48 -0700

Posted by Srinivasa Addepalli on Jul 11

I was referring to checking version on the packets coming from internal PPTP
server. PPTP protocol, as I understand, defines fields for vendor specific
string and firmware version. I am not sure whether or not CISCO fills up
these fields. If it does, these values can be used to check in the...

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

Wed, 9 Jul 2008 08:54:40 +0530

Posted by Secure Scorp on Jul 9

( Appending my earlier email to this thread for ref.)

Srini,

An attacker would not need to craft or have mention of (the vulnerable
Cisco IOS code) 'version 12.3' into the PPTP packet. Also, if there is
non-Cisco deployment for PPTP, you don't even have to worry about
adding signature to...

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

Mon, 7 Jul 2008 09:09:49 -0700

Posted by Srinivasa Addepalli on Jul 7

You are right that these kinds of DoS attacks are difficult to detect
at Network IDS/IPS level due to the problems you mentioned - false
positives and false negatives.

I suggest that you consider "version" of cisco routers in your rules
to avoid false positives in deployment...

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

Sat, 5 Jul 2008 13:19:31 +0530

Posted by Secure Scorp on Jul 5

This vulnerablity as described by Cisco occurs when the PPTP session
is terminated. Please note it states 'terminated'. If terminates means
log off then it means that a legitimate active connective has logged
off etc. For this vulnerablity to be exploited the user should be a
legitimate...

Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

Fri, 4 Jul 2008 09:03:59 -0700

Posted by Ravi Chunduru on Jul 4

Please see these links for more information on vulnerability:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1151
http://www.cisco.com/en/US/products/products_security_advisory09186a0080969862.shtml

According to this vulnerability report, PPTP process in CISCO routers
leak memory upon every...

Re: TippingPoint Recommended Disabled Filters

Thu, 3 Jul 2008 08:48:43 +0530

Posted by Secure Scorp on Jul 3

The Tipping Point IPS out-of-the-box configuration recognizes and
blocks malicious traffic that is known to be malicious at all times,
under all conditions, in all network environments.From a Security
Standpoint, a default Configured IPS is configured as follows:
–There is a single Default...