Introduction to Ngrep

Monday, 13 January 2003, 1:05 PM EST

During the source of investigating the wu-ftpd exploit, analysts were reminded of the one of the limitations of current Intrusion Detection Systems; the inability to handle regular expressions. When the attack has identifiable fixed strings of characters, the signature is reasonably straightforward:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21
(msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flags: A+;
content: "|2e2e3131|venglin@";reference:arachnids,440;
classtype:attempted-user; sid:348; rev:1;)

This Snort signature recognizes packets sent to an FTP server with the hex characters 2e2e313 followed by the word "venglin@" in them.

The problem comes when we don't have a fixed series of characters to match against. The November 2001 wu-ftpd exploit used the fact that a sequence of whitespace, a tilde, optional characters, a left curly brace, and any other characters without a matching right curly brace would crash wu-ftpd, allowing a buffer overflow exploit to take over.

Because of the possibility of additional characters and the requirement that the second block of characters not contain a "}", we need to use something stronger than fixed strings.

[ Read more ]




Spotlight

Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //