Introduction to Ngrep

Monday, 13 January 2003, 1:05 PM EST

During the source of investigating the wu-ftpd exploit, analysts were reminded of the one of the limitations of current Intrusion Detection Systems; the inability to handle regular expressions. When the attack has identifiable fixed strings of characters, the signature is reasonably straightforward:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21
(msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flags: A+;
content: "|2e2e3131|venglin@";reference:arachnids,440;
classtype:attempted-user; sid:348; rev:1;)

This Snort signature recognizes packets sent to an FTP server with the hex characters 2e2e313 followed by the word "venglin@" in them.

The problem comes when we don't have a fixed series of characters to match against. The November 2001 wu-ftpd exploit used the fact that a sequence of whitespace, a tilde, optional characters, a left curly brace, and any other characters without a matching right curly brace would crash wu-ftpd, allowing a buffer overflow exploit to take over.

Because of the possibility of additional characters and the requirement that the second block of characters not contain a "}", we need to use something stronger than fixed strings.

[ Read more ]




Spotlight

Successful strategies to avoid frequent password changes

Posted on 19 August 2014.  |  After a widespread, nonspecific data breach, the conventional wisdom is that people should change all their passwords. But, there’s a better way.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Aug 20th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //