From: Helge Hafting <helge.hafting@aitel.hist.no>
To: Vinay Venkataraghavan <raghavanvinay@yahoo.com>
Cc: linux-crypto@nl.linux.org, linux-kernel@vger.kernel.org
Subject: Re: Open source firewalls
Date: Thu, 14 Jul 2005 12:13:36 +0200 [thread overview]
Message-ID: <42D63AD0.6060609@aitel.hist.no> (raw)
In-Reply-To: <20050713163424.35416.qmail@web32110.mail.mud.yahoo.com>
Vinay Venkataraghavan wrote:
>I know how to implement buffer overflow attacks. But
>how would an intrusion detection system detect a
>buffer overflow attack.
>
Buffer overflow attacks vary, but have one thing in common. The
overflow string is much longer than what's usual for the app/protocol in
question. It may also contain illegal characters, but be careful -
non-english users use plenty of valid non-ascii characters in filenames,
passwords and so on.
The way to do this is to implement a transparent proxy module for every
protocol you want to do overflow prevention for. Collect the strings
transmitted, pass them on after validating them. Or reset the
connection when one gets "too long". For example, you may want to
limit POP usernames to whatever the maximum username length is
on your system. But make such things configurable, others may
want longer usernames than you.
>My question is at the layer
>that the intrusion detection system operates, how will
>it know that a particular string for exmaple is liable
>to overflow a vulnerable buffer.
>
>
>
It can't know of course, but it can suspect that 1000-character
usernames, passwords or filenames is foul play and reset the
connection. Or 10k URL's . . .
Helge Hafting
next prev parent reply other threads:[~2005-07-14 10:08 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-13 16:34 Open source firewalls Vinay Venkataraghavan
2005-07-13 16:47 ` Alejandro Bonilla
2005-07-13 17:00 ` Maciej Soltysiak
2005-07-13 17:04 ` Nigel Rantor
2005-07-14 10:13 ` Helge Hafting [this message]
2005-07-14 10:24 ` RVK
2005-07-14 12:20 ` Helge Hafting
2005-07-14 12:20 ` RVK
2005-07-14 13:06 ` Helge Hafting
2005-07-14 14:04 ` RVK
2005-07-14 22:53 ` Buffer Over-runs, was " Brian O'Mahoney
2005-07-15 6:41 ` RVK
2005-07-15 6:51 ` Arjan van de Ven
2005-07-15 8:26 ` RVK
2005-07-15 8:46 ` Arjan van de Ven
2005-07-15 9:28 ` RVK
2005-07-15 9:29 ` RVK
2005-07-15 11:17 ` RVK
2005-07-15 11:24 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42D63AD0.6060609@aitel.hist.no \
--to=helge.hafting@aitel.hist.no \
--cc=linux-crypto@nl.linux.org \
--cc=linux-kernel@vger.kernel.org \
--cc=raghavanvinay@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox