[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200309260243.h8Q2hgL23856@netsys.com>
From: wtfeva at mailvault.com (Ma tsu Kan daga waga)
Subject: An open question for Snort and Project Honeynet
To the skilled but flawed fake at http://www.phrack.nl/phrack62/ and
your mail Mr. Rueubens.
>
>Do any of you have anything to say about that? When you say "look for
>yourself" surely you don't mean to claim that Average Joe Admin has
the
>requisite skillset and detailed knowledge necessary to spot something
>potentially that subtle?
This "introduction of deliberate weaknesses" is quite easy to find when
you have different releases of code to compare against. There is even a
windows tool called windiff that I believe is available on any windows
platform for free back to Win95 that makes it A+ friendly.
>
>And would anyone care to address the "off-by-one's, integer
overflows,
>and logic bugs" m1lt0n alluded to in his or her article about Snort?
"It goes a little something like this"
Download two different versions, verify the signatures, and open them
up. Point windiff at them and start reading. Any time you see a strcpy
where there once was a strncpy there might be a suspect bit of code. But
you should know this and the rest of the methodologies. ( unless you are
just a drone in PR who gets paid to spread FUD of course )
> How
>do you intend to counter the effects of Sneeze?
"/* we can't hope to generate these sorts of packets, so just
skip them automatically */"
I went and read a little of the snort manual on rules [0] Just as you
and the author could have.
How is it the author cannot hope to produce a web request with the
"uricontent" as specified? whisker is just a good a template for that as
the first sneeze is for this bit of code. If you are going to steal why
not steal a lot?
How is it the author cannot adjust the TTL? After they did an nmap of
the target I find it hard to believe that they are concerned about
noise. Do they not know how to get the number of hops?
The first sneeze available from the snort project on sourceforge apears
more capable than this. I don't think that a response is needed from the
snort people since it has been available since "Mon Aug 06 2001 -
10:39:32 CDT" [1] and not caused problems yet.
"/* we can only handle a small subset of datasize
keywords... don't worry about ranges, only worry
about the '>' operator, which will usually only be
used to detect overflow attempts */"
Cannot handle smaller bits of data?
"/* Exceed '>' directive by x bytes */
#define GT_INC 16"
Inline?
> Any comments on the Sebek piece?
"Any project based upon a flawed premises will result in products no
less flawed then the premise it was based upon."
How about any statement of fact based on an assumption is but an
assumption.
"However, If an adversary knows how they are being monitored, the
adversary is able to develop methods to determine if they are benign
monitored"
But they already "know they are being monitored" does anything else
matter? A Honeypot is designed to find this kind of information and the
people with both the skills and intentions to use them. Seems that
project has paid off pretty well by disclosing more wonderfully useful
bits of information on what the bad people might be up to and how.
"Assuming an adversary knows they are being monitored, then it must be
assumed that a determined adversary will study the ways that the
monitoring devices operate."
The determined adversary is just the one these things are designed to
discover. What makes you think that the discovery is not made when these
methods are employed and a forensic analysis ultimately performed? Why
would you think that you would know?
and my favorite statement
"If the discovered flaws are of such a nature where the adversary can
cause arbitrary code execution, either as a result of the device or one
of its supporting code libraries, then the attacker may be able to
compromise the supporting systems that monitor the honeypot, and any
other honeypots which trust that supporting system."
There are a more what if statements in there than I care to dissect. It
is a honeypot. It is disposable by nature and properly implemented
offers no more risk than anything else, arguably less risk overall. But
really... lets ponder for a minute... The intent is to find the attacker
that is skilled and capable of doing this. I think it is pretty
successful at just that. Besides, I would rather an attacker spend the
time figuring out how to circumvent this monitoring than penetrating
real defenses.
"gid=0(apache)" [2] - You learn something new every day!
There is not enough space to continue with this. This thing is riddled
with obvious forgery. Where is that full-exposure list? Can I suggest
that you use your incredible powers of deductive reasoning there
first?
> How confident are you in people who are
> doing your code review, anyway?
I am incredibly confident in the people doing code review. You see it is
available for all to review including you and me. Not only are skilled
people that do code review for a living looking at the code but so are a
lot of people that do it for a hobby. I think I can have confidence in
the record to date and in the future of this method over the alternative
closed "trust me" method. I could not find enough comparisons to the
honeynet project to present a reasonable position but a little research
shows that the record of snort is far better than the alternatives. Take
a look at the history of Real [in]Secure(tm)
>
>I honestly hope the PHC does the same to every last one of the
>components of Project Honeynet: Honeyd, VMWare, the works. Whether
you
>choose to admit it or not, the latest releases from Phrack do more to
>further the improvement of these technologies than the vast majority
of
>researchers who are scared stiff at the prospect of losing funding.
It is a definite contribution to security, it seves to educate people
about verifying information before acting on it. I doubt that anything
released in the phake phrak will end up being earth shattering when we
look back at it next year. Of course I don't think any of it is earth
shattering in the here and now so I could biased.
> You
>complain now and tisk-tisk about the PHCs "juvenile" approach and
tell
>yourselves it's all social engineering, but why not ask yourself
where
>you'd be if they chose to sit on the papers they released yesterday
>instead? Ignoring people because you find them distateful doesn't
make
>the problem go away.
Many of us find it quite entertaining. Regardless, it is but a cry for
attention and if you get it this way instead of killing a room full of
children then I am happy to laugh at you.
[snip - bad bait, cut some new squid please]
>
>If these recent embarrassments don't result in SIGNIFICANT
improvements
>in Snort and a top-to-bottom review of honeynet design, I strongly
>suspect there's going to be some serious consequences. Just a wee
hunch.
I am all for improvement but I doubt this has any relevance to the
resulting works. Just a wee hunch, you are but a little upset that these
projects are successful and benefit the world ultimately taking cash out
of your pocket and putting it back into the hands of the honest people.
Do you wear the yellow suit in those wonderful ads? I think they peddle
a honeypot product and an IDS product. Didn't they just purchase an IPS
product too? Lets recap, you attack a honeypot, an IDS, and an IPS
capable IDS. That is pretty suspect to me.
>I swear to God if I had a hundred thousand dollars in unmarked bills
>right now, I'd hand it over to the Phrack men this very minute with a
>hearfelt "thank you".
Sounds to me like the words of a slighted person. What failed company
did you work for that was founded on a "flawed premise"? Good thing if
you ask me. Now you don't have that "hundred thousand dollars in
unmarked bills" that honest people earned to hand out to dishonest just
people like yourself.
[snip - bad bait, you really need to cut that squid]
>
>(I have no interest in addressing your ad-hominem attacks, so I just
>thought I'd say it for you and get that out of the way.)
But I felt like it any way Mr. Rueubens. Go watch another movie
please.
To close this out. I think you should get on your knees and thank all of
the open source developers that honestly invest time in these projects
for people like you to sit back and "shoot" at. Where were you when the
"That server was a honeypot that was also used to provide software
downloads to .edu" statement was published by the Real [in]Secure(tm)
people? Next time do a little research for your self before opening your
mouth and inserting your foot. It might cut down on the dental visits.
If you want the answers as an absolute go audit the code yourself and
publish your results. If you cannot do that pay for a professional audit
or create a fund and put together one. If you find a vulnerability
publish it. If you think you can do better produce something.
It is my belief from your rants that you are only interested in
spreading FUD for some third party to suport your own position. I think
the silence from the world to your questions is a testament to the
quality and security of these products and to your flawed logic and
dishonest motives.
The remaining question is what is your real interest and motivation?
Please quit wasting my time with your FUD and go watch another movie.
./wtfeva
[0] - http://www.snort.org/docs/writing_rules/
[1] - http://archives.neohapsis.com/archives/snort/2001-08/0180.html
[2] - http://www.phrack.nl/phrack62/p62-0x03.txt
Powered by blists - more mailing lists