Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 070939.html (Request Expert securityfocus.com Support)

RE: TDS level attack- IDS and Industrial intelligence

From: Drew Copley <dcopley(at)eeye.com>
Date: Wed Jul 09 2003 - 16:05:37 EDT


In short, your typical IDS which "handles TDS" will be able to get some static attacks. Someone files in an advisory, their signature guys write up a signature based on that advisory. This is a static signature. Which is great for static portions of the protocol, such as the Sapphire worm operated on. But, it is useless for the many issues found within the SQL language itself.

'Detecting a variety of buffer overflow attacks' is quite different from being able to detect every possible variation of existing SQL attacks. (And, indeed, the phrase "parses TDS" is a very ambiguous term -- unless you mean that you can truly parse all incoming SQL attacks as the SQL engine itself would parse them).

On a typical SQL overflow (outside of such SQL bugs as the Sapphire worm which used a static portion of the protocol) you may have an overly long buffer presented:

[Ax1000]

Might be presented legitimately as:

'AAAAA...' + 'AAAA...' + ... Or as

@mybin1 + @mybin2

Etc, etc.... Logical operators might be used or not... And, further, there are numerous commands which might be used for such overflows such as "replicate()". (And note, many SQL issues use the replicate command in their demonstration, but this command could be removed, of course).

Do you need help?X

Lastly, you have much otherwise legitimate traffic which might be quite illegitimate. For instance, your everyday [and many] SQL injection attacks.

Static protocols posed some difficulties. There are a variety of ways to encode or segment such traffic. But with full blown languages such as javascript or SQL going over the net -- this is a different can of worms.

Ed Cole has some very good comments here. He is absolutely right.

> -----Original Message-----
> From: Palmer, Paul (ISSAtlanta) [mailto:PPalmer@iss.net]
> Sent: Tuesday, July 08, 2003 8:57 AM
> To: ed cole; focus-ids@securityfocus.org
> Subject: RE: TDS level attack- IDS and Industrial intelligence


The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, and distributes this information to hundreds of users.

Visit Tenable Network Security at http://www.tenablesecurity.com to learn more.

Received on Fri Jul 11 13:02:36 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library