Re: Analysis of "stacheldraht" + arachNIDS

From: Max Vision (visionat_private)
Date: Fri Dec 31 1999 - 11:06:05 PST

Next message: Max Vision: "Re: Netscape FastTrack httpd remote exploit"

Previous message: Dave Dittrich: "Re: Analysis of "stacheldraht""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 31 Dec 1999, Dave Dittrich wrote:
> http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
>

Hello,

I have written seven IDS signatures that detect the default configuration
of stacheldraht, as presented in Dave's excellent writeup.  They are
available at Whitehats and below in this email.

This is probably a good opportunity to introduce my free IDS signature
database project, arachNIDS.  [ http://whitehats.com/ ]  arachNIDS is the
Advanced Reference Archive of Current Heuristics for Network Intrusion
Detection Systems - CVE and BugtraqID compatible/searchable.  The database
can be used as a tool for research, or IDS signatures can be exported for
use in free IDS such as Snort.

The intent of this open/free database is to raise the bar on modern
intrusion detection systems by bringing full-disclosure to IDS.  arachNIDS
is a work in progress, and contributions are very welcome.  I have also
created a Intrusion Event description form that, as you fill in packet
information, dynamically creates an appropriate signature.  Please visit
the site for details.

signatures:
alert TCP $EXTERNAL any -> $INTERNAL 16660 (msg: "stacheldraht client"; flags: S;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "stacheldraht client-check"; content: "skillz"; itype: 0; icmp_id: 666;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "stacheldraht client-check-gag"; content: "gesundheit!"; itype: 0; icmp_id: 668;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "stacheldraht client-spoofworks"; content: "spoofworks"; itype: 0; icmp_id: 1000;)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "stacheldraht server-response"; content: "ficken"; itype: 0; icmp_id: 667;)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "stacheldraht server-response-gag"; content: "sicken"; itype: 0; icmp_id: 669;)
alert ICMP 3.3.3.3/32 any -> any any (msg: "stacheldraht server-spoof"; itype: 0; icmp_id: 666;)

"Whitehats is a resource to help network and security administrators by
offering free software and community support. This site features the
world's first open Intrusion Detection database, arachNIDS."

Max Vision
Network Security Architect
http://whitehats.com/  <- free tools, forums, and IDS database
http://maxvision.net/

Next message: Max Vision: "Re: Netscape FastTrack httpd remote exploit"
Previous message: Dave Dittrich: "Re: Analysis of "stacheldraht""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:23 PDT