In case of application filtering capability embedded inside IDS solutions such as SnortIDS, BroIDS or Prelude...PCRE format should be able to detect such payload signature (if constant). However, in terms of complexity of a threat, one should workout on Dynamic plug-ins to stabilize the detection pr

[ more ]  [ reply ]

In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as

CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766

To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:

<script>
var object1=document.createElement('object');

[ more ]  [ reply ]

CALL FOR PAPERS
RAID 2009

12th International Symposium on
Recent Advances in Intrusion Detection 2009

September 23-25, 2009

Saint Malo, Brittany, France

http://www.r

[ more ]  [ reply ]

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Papers

===============================
October 14, 2009
Big Sky, MT

[ more ]  [ reply ]

Title: Detection evasion technique by invalid UTF-8 sequences
Reported By: Hiroshi Tokumaru of HASH Consulting Corp.
Impact: A remote attacker can evade detection.

Overview
========

Invalid UTF-8 sequences are ignored in ASP.NET 1.1.
This may be used for the detection evasion of IDS/IPS/WAF.

Pr

[ more ]  [ reply ]

If all you have is a pcap with some protocol packets in it, how would
you know how much of the actual protocol specification (the possible
set of fields that the packets could carry) is being covered? This is
a useful metric to have when writing a dissector or IPS/DPI
signatures. This is much in the

[ more ]  [ reply ]

On Mar 19, 2009, at 4:30 PM, Paul Schmehl wrote:

> --On Thursday, March 19, 2009 14:33:29 -0400 Joel Esler <eslerj (at) gmail (dot) com [email concealed]
> > wrote:
>
>> Would this be an appropriate use for byte_test or byte_jump?
>>
>
> That's what I was referring to when I mentioned applications. The
> problem with http

[ more ]  [ reply ]