lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: wtfeva at mailvault.com (Ma tsu Kan daga waga) Subject: An open question for Snort and Project Honeynet To the skilled but flawed fake at http://www.phrack.nl/phrack62/ and your mail Mr. Rueubens. > >Do any of you have anything to say about that? When you say "look for >yourself" surely you don't mean to claim that Average Joe Admin has the >requisite skillset and detailed knowledge necessary to spot something >potentially that subtle? This "introduction of deliberate weaknesses" is quite easy to find when you have different releases of code to compare against. There is even a windows tool called windiff that I believe is available on any windows platform for free back to Win95 that makes it A+ friendly. > >And would anyone care to address the "off-by-one's, integer overflows, >and logic bugs" m1lt0n alluded to in his or her article about Snort? "It goes a little something like this" Download two different versions, verify the signatures, and open them up. Point windiff at them and start reading. Any time you see a strcpy where there once was a strncpy there might be a suspect bit of code. But you should know this and the rest of the methodologies. ( unless you are just a drone in PR who gets paid to spread FUD of course ) > How >do you intend to counter the effects of Sneeze? "/* we can't hope to generate these sorts of packets, so just skip them automatically */" I went and read a little of the snort manual on rules [0] Just as you and the author could have. How is it the author cannot hope to produce a web request with the "uricontent" as specified? whisker is just a good a template for that as the first sneeze is for this bit of code. If you are going to steal why not steal a lot? How is it the author cannot adjust the TTL? After they did an nmap of the target I find it hard to believe that they are concerned about noise. Do they not know how to get the number of hops? The first sneeze available from the snort project on sourceforge apears more capable than this. I don't think that a response is needed from the snort people since it has been available since "Mon Aug 06 2001 - 10:39:32 CDT" [1] and not caused problems yet. "/* we can only handle a small subset of datasize keywords... don't worry about ranges, only worry about the '>' operator, which will usually only be used to detect overflow attempts */" Cannot handle smaller bits of data? "/* Exceed '>' directive by x bytes */ #define GT_INC 16" Inline? > Any comments on the Sebek piece? "Any project based upon a flawed premises will result in products no less flawed then the premise it was based upon." How about any statement of fact based on an assumption is but an assumption. "However, If an adversary knows how they are being monitored, the adversary is able to develop methods to determine if they are benign monitored" But they already "know they are being monitored" does anything else matter? A Honeypot is designed to find this kind of information and the people with both the skills and intentions to use them. Seems that project has paid off pretty well by disclosing more wonderfully useful bits of information on what the bad people might be up to and how. "Assuming an adversary knows they are being monitored, then it must be assumed that a determined adversary will study the ways that the monitoring devices operate." The determined adversary is just the one these things are designed to discover. What makes you think that the discovery is not made when these methods are employed and a forensic analysis ultimately performed? Why would you think that you would know? and my favorite statement "If the discovered flaws are of such a nature where the adversary can cause arbitrary code execution, either as a result of the device or one of its supporting code libraries, then the attacker may be able to compromise the supporting systems that monitor the honeypot, and any other honeypots which trust that supporting system." There are a more what if statements in there than I care to dissect. It is a honeypot. It is disposable by nature and properly implemented offers no more risk than anything else, arguably less risk overall. But really... lets ponder for a minute... The intent is to find the attacker that is skilled and capable of doing this. I think it is pretty successful at just that. Besides, I would rather an attacker spend the time figuring out how to circumvent this monitoring than penetrating real defenses. "gid=0(apache)" [2] - You learn something new every day! There is not enough space to continue with this. This thing is riddled with obvious forgery. Where is that full-exposure list? Can I suggest that you use your incredible powers of deductive reasoning there first? > How confident are you in people who are > doing your code review, anyway? I am incredibly confident in the people doing code review. You see it is available for all to review including you and me. Not only are skilled people that do code review for a living looking at the code but so are a lot of people that do it for a hobby. I think I can have confidence in the record to date and in the future of this method over the alternative closed "trust me" method. I could not find enough comparisons to the honeynet project to present a reasonable position but a little research shows that the record of snort is far better than the alternatives. Take a look at the history of Real [in]Secure(tm) > >I honestly hope the PHC does the same to every last one of the >components of Project Honeynet: Honeyd, VMWare, the works. Whether you >choose to admit it or not, the latest releases from Phrack do more to >further the improvement of these technologies than the vast majority of >researchers who are scared stiff at the prospect of losing funding. It is a definite contribution to security, it seves to educate people about verifying information before acting on it. I doubt that anything released in the phake phrak will end up being earth shattering when we look back at it next year. Of course I don't think any of it is earth shattering in the here and now so I could biased. > You >complain now and tisk-tisk about the PHCs "juvenile" approach and tell >yourselves it's all social engineering, but why not ask yourself where >you'd be if they chose to sit on the papers they released yesterday >instead? Ignoring people because you find them distateful doesn't make >the problem go away. Many of us find it quite entertaining. Regardless, it is but a cry for attention and if you get it this way instead of killing a room full of children then I am happy to laugh at you. [snip - bad bait, cut some new squid please] > >If these recent embarrassments don't result in SIGNIFICANT improvements >in Snort and a top-to-bottom review of honeynet design, I strongly >suspect there's going to be some serious consequences. Just a wee hunch. I am all for improvement but I doubt this has any relevance to the resulting works. Just a wee hunch, you are but a little upset that these projects are successful and benefit the world ultimately taking cash out of your pocket and putting it back into the hands of the honest people. Do you wear the yellow suit in those wonderful ads? I think they peddle a honeypot product and an IDS product. Didn't they just purchase an IPS product too? Lets recap, you attack a honeypot, an IDS, and an IPS capable IDS. That is pretty suspect to me. >I swear to God if I had a hundred thousand dollars in unmarked bills >right now, I'd hand it over to the Phrack men this very minute with a >hearfelt "thank you". Sounds to me like the words of a slighted person. What failed company did you work for that was founded on a "flawed premise"? Good thing if you ask me. Now you don't have that "hundred thousand dollars in unmarked bills" that honest people earned to hand out to dishonest just people like yourself. [snip - bad bait, you really need to cut that squid] > >(I have no interest in addressing your ad-hominem attacks, so I just >thought I'd say it for you and get that out of the way.) But I felt like it any way Mr. Rueubens. Go watch another movie please. To close this out. I think you should get on your knees and thank all of the open source developers that honestly invest time in these projects for people like you to sit back and "shoot" at. Where were you when the "That server was a honeypot that was also used to provide software downloads to .edu" statement was published by the Real [in]Secure(tm) people? Next time do a little research for your self before opening your mouth and inserting your foot. It might cut down on the dental visits. If you want the answers as an absolute go audit the code yourself and publish your results. If you cannot do that pay for a professional audit or create a fund and put together one. If you find a vulnerability publish it. If you think you can do better produce something. It is my belief from your rants that you are only interested in spreading FUD for some third party to suport your own position. I think the silence from the world to your questions is a testament to the quality and security of these products and to your flawed logic and dishonest motives. The remaining question is what is your real interest and motivation? Please quit wasting my time with your FUD and go watch another movie. ./wtfeva [0] - http://www.snort.org/docs/writing_rules/ [1] - http://archives.neohapsis.com/archives/snort/2001-08/0180.html [2] - http://www.phrack.nl/phrack62/p62-0x03.txt
Powered by blists - more mailing lists