[dundee] Software Society: IDS Enumeration: False Positive Ab(use) - Thursday 11th October

Ryan Ward ry.ward91 at gmail.com
Wed Oct 10 10:47:01 UTC 2012


Hey folks,

Just the usual shout out for our meeting this week held upstairs in the
Burgh Coffeehouse (Commercial Street) at 7pm.

Our very own Arron "Finux" Finnon has returned from his global endeavor and
will be presenting his talk on IDS Enumeration.

Network Intrusion Prevention Systems or NIPS have been plagued by
“False Positive” issues almost since their first deployment.  A
“False Positive” could simply be described as incorrectly or
mistakenly detecting a threat that is not real.  A large amount of research
has gone into using “False Positive” as an attack vector either to
attack the very validity of an IPS system or to conduct forms of Denial
of Service attacks.  However the very reaction to a “False Positive” in
the first place may very well reveal more detailed information about
defenses than you might well think.

This talk takes a looks at how its is possible to enumerating network
defenses such as an IPS by very simple and effective means.  A detection
system such as an IPS reacting to a set of conditions under the control of
an attacker can very well allow them to know what defenses they need to
overcome to be successful.  With a simple crafted email it is possible to
tell that clamAV is running on a mail server, or a  simple fake URL
parameter could well inform you that SNORT is defending a web application.
 Armed with this type of information an attacker can plan their attack that
utilise IPS evasion techniques.  All though this talk uses some very famous
“Open Source” security application in its examples the  methodology can
easily be used to detect a whole host of commercial security products as
well.

There is no hard and fast simple fix to the issues discussed in this talk,
the aim is simple; to give the attendees the ability to spot and assess
potential “reaction leakages” from a detection system.  You can only really
defend against what you can understand and with this information a more
fitting solution can be sort.
So come grab a coffee then after the talk hopefully a beverage in the
Ladywell Tavern.

Stay Sane,

-- 
Ryan Ward
https://www.twitter.com/rysward
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/dundee/attachments/20121010/e3ee2203/attachment.html>


More information about the dundee mailing list