Generating False Positives

Previous page
Table of content
Next page

Generating False Positives

False positives can be generated in an IDS in many different ways. One way is by sending data that contain strings that match the patterns in the IDS's signature table, yet the data don't form an attack. Consider these three URLs:

         http://192.168.7.203/index.html#cmd.exe

         http://192.168.7.203/index.html?dummyparam=xp_cmdshell

         http://192.168.7.203/cgi-bin/print.cgi?page=3&dummyparam=cat+/etc/passwd

The first URL has a reference to a nonexistent anchor, cmd.exe. The HTTP request for this URL will be processed successfully, and the browser will also receive the contents of index.html from 192.168.7.203. However, the IDS will report an attack directed toward 192.168.7.203 because cmd.exe appears in one of its attack signatures.

The second URL is a case of a static HTML file being supplied parameters via a URL query string. A parameter called "dummyparam" is passed to the Web server with a value of "xp_cmdshell". In real attacks, xp_cmdshell is used in an SQL query injection attack in the URL string. In this case, index.html is a static HTML page and doesn't care about any parameters being passed to it. The parameters are simply dropped. The IDS doesn't know whether the URL is a real attack. In such an instance, an IDS such as snort would report that an attack was directed toward 192.168.7.203.

The third URL is an example of a CGI script that actually does receive parameters from the URL query string. However, extra parameters not used by the CGI script can be supplied. The effect is the same as that of the second URL.

As a test, all these URLs were sent from 10.0.0.1 to 192.168.7.203. The snort alerts produced by these three URLs were:

Apr 22 04:45:14 webspy snort[835]: [1:1002:2] WEB-IIS cmd.exe access
[Classification: Web Application Attack] [Priority: 1]:
{TCP} 10.0.0.1:2490 -> 192.168.7.2:80

IDS Evasion in Vulnerability Checkers

Web vulnerability checking programs such as Whisker provide an option to perform vulnerability checking with IDS evasion techniques turned on. Whisker uses ten IDS evasion techniques, which from its usage text are:

         -I 1 IDS-evasive mode 1 (URL encoding)

         -I 2 IDS-evasive mode 2 (/./ directory insertion)

         -I 3 IDS-evasive mode 3 (premature URL ending)

         -I 4 IDS-evasive mode 4 (long URL)

         -I 5 IDS-evasive mode 5 (fake parameter)

         -I 6 IDS-evasive mode 6 (TAB separation) (not NT/IIS)

         -I 7 IDS-evasive mode 7 (case sensitivity)

         -I 8 IDS-evasive mode 8 (Windows delimiter)

         -I 9 IDS-evasive mode 9 (session splicing) (slow)

         -I 0 IDS-evasive mode 0 (NULL method)

IDS evasion techniques can be combined while a vulnerability scan is being performed.

 
Apr 22 04:45:47 webspy snort[835]: [1:1061:2] WEB-MISC cmdshell attempt
[Classification: Web Application Attack] [Priority: 1]:
{TCP} 10.0.0.1:2494 -> 192.168.7.2:80
 
 
Apr 22 04:46:38 webspy snort[835]: [1:1122:1] WEB-MISC /etc/passwd
[Classification: Attempted Information Leak] [Priority: 2]:
{TCP} 10.0.0.1:2495 -> 192.168.7.2:80

All three snort alerts are false positives.

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
Project Management JumpStart
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
A Practitioners Guide to Software Test Design
MySQL Clustering
Sap Bw: a Step By Step Guide for Bw 2.0
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy