Re: Open source firewalls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vinay Venkataraghavan wrote:

I know how to implement buffer overflow attacks. But
how would an intrusion detection system detect a
buffer overflow attack.
Buffer overflow attacks vary, but have one thing in common. The overflow string is much longer than what's usual for the app/protocol in question. It may also contain illegal characters, but be careful - non-english users use plenty of valid non-ascii characters in filenames,
passwords and so on.

The way to do this is to implement a transparent proxy module for every protocol you want to do overflow prevention for. Collect the strings transmitted, pass them on after validating them. Or reset the connection when one gets "too long". For example, you may want to
limit POP usernames to whatever the maximum username length is
on your system.  But make such things configurable, others may
want longer usernames than you.

My question is at the layer
that the intrusion detection system operates, how will
it know that a particular string for exmaple is liable
to overflow a vulnerable buffer.
It can't know of course, but it can suspect that 1000-character
usernames, passwords or filenames is foul play and reset the
connection.  Or 10k URL's . . .

Helge Hafting


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/


[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux