RE: Application level IDS?

Hi Smokey,
When I think of application-level IDS, wherein some level of knowledge of correct or allowable application-level behavior is known and controlled, I think of products such as those from Okena (recently acquired by Cisco), Entercept's products (acquired by Network Associates), RealSecure Server Sensor and Desktop Protector (formerly the bBlackICE product), and primarily at the desktop, ZoneAlarm. These application-level IDS's focus on managing network-level actions based on application-level knowledge.

You gave specific examples of exploits that may not be detectable by IDS systems in general-- for example, it's very hard to detect SQL injection as an incorrect behavior when it is acceptable, though risky, for an application programmer to accept browser input as an argument to a system call. If you or others have thoughts on how an architecture could be developed to detect such things, I'd be interested. I'm sure there are some brilliant minds that have given it some thought. In terms of general approaches to controlling such things, one could consider Java code signing for example, wherein there is the attempt to create the notion of a sandbox-- a safe area-- for executable control. For example, one could imagine containing an SQL script to within a sandbox, thus containing anything that would otherwise be injectable that might represent a function not allowed within the pre-defined sandbox. Or if there were a profile of the application (a dynamically developed sandbox "profile") and an application stepped out of those bounds, a system could perhaps detect it. I tend to think of it as an operating system level function in an ideal world. No doubt though, application-level IDS's nearly become operating system overlays.

Regards,

Eric Greenberg
Chief Technical Officer
NetFrameworks, Inc.
http://www.NetFrameworks.com

-----Original Message-----
From: Smokey Lonesome [mailto:smokey_ids@yahoo.com] Sent: Wednesday, June 18, 2003 5:52 PM
To: focus-ids@securityfocus.com
Subject: Application level IDS?

Hi IDS experts,

        I'm not deeply familiar with IDS technologies and products, so I apologize in advance if this is a too-trivial question:         

        Is there anything like an "application level IDS" ? (similar to what is now called "application firewall"?)         

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

        What I mean is something that has the non-intrusive characteritics of an IDS (as it was discussed lately regarding Gartner's article - I'm talking about I_D_S and not I_P_S) but which is doing deep application level analysis, maybe even application-session (cookies?) related analysis (though i'm not sure it is possible to keep track of a session when you're just monitoring traffic).

        I think such a system should be able to detect the many application level attacks - SQL injections, hidden-fields tampering, cookie poisoning etc. while being more sensitive than a firewall\IPS considering it is not blocking any traffic upon detecting
"suspicious" activity.

        Does something like that exist? Has any of you implemented it? Can it be implemented using any of the existing IDS's (maybe on top of Snort's stream4? Someone mentioned in a recent post "build POP3 protocol intelligence" - how can this be done with existing tools? can it be done for HTTP\HTML as well?)         

	TIA,	
	(-) Smokey.

---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 

"underground" security specialists.  See for yourself what the buzz is


about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
---


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 


"underground" security specialists.  See for yourself what the buzz is about!  


Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------