Sunday, September 14, 2008

Signature Writing - 101

Writing signatures has always always been fun and fabulous. Prerequisites for signature writing includes, research and analysis of the core content that has to be detected or prevented when entering the network. Let us start with a simple sample.

Consider the following content(s) to be malicious:

1. This is where I was born.
2. This is what we are looking for.
3. This is good.

Imaging the above to be malicious and find out what is common in all of the above. "This is" repeats in every line. Hence, that could be added as 1 content that could be filtered or detected. Now let us see which other parts are repetitive. "." repeats at the end of each line. Now that could be content 2. If we want to avoid some false positives, we could say that "." follows "This is" in every content. Though, now imagine that this line is not sent in a single line and it could be split into bits and pieces. That would evade our signatures, right. This is how fragmentation can help in IDS evasion. Though, this does not mean that there is no work around for stopping such an evasion from happening.

We will be looking more into Signatures and logs in the forth coming blogs. Thank you for reading our blog.

- EF

No comments: