Presentation Material
Abstract
Intrusion detection systems that work at the application layer appear to be the next new wave of security products to hit the market. As with network IDSs, some of the products in the application security space work with signatures, while others are anomaly based. This presentation looks at typical patterns produced by some of the more common web application attacks—SQL injection, cross-site scripting, directory traversal, buffer overflows, etc. It discusses how these attacks can be matched using regular expression based signatures on the Snort IDS. However, the difficult part comes in trying to write signatures that cannot be easily evaded, while still keeping false positives at an acceptable level.
Advanced attacks to try and evade these signatures and modifications to the original set of signatures are discussed. The original concept is expanded to use these signatures with mod_security for Apache, and SecureIIS for IIS. We then discuss the security attacks that cannot be detected by signature-based methods. Anomaly-based methods of detecting web application attacks are also briefly covered.
The attendees are expected to be familiar with regular expressions and the basics of typical web application attacks.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker discusses the challenges of detecting authentication brute-force attacks in web applications. They highlight that traditional signature-based detection methods are not effective because they cannot identify malicious attempts amidst genuine user mistakes. Instead, and rule-based correlation engine can be used to flag repetitive authentication failures within a short time frame.
The speaker also explores anomaly-based detection methods, AID which involve two phases: learning and detection. During the learning phase, from normal traffic patterns, including input length, character distribution, and parameter string structure. This information is then used to identify anomalies in real-time traffic.
Commercial products dominate this field, but the speaker emphasizes that a good anomaly-based detection solution should analyze live traffic rather than rely on web server logs. This approach can provide more comprehensive data, including HTTP header information and POST data.
The speaker notes that there are performance trade-offs between signature-based and anomaly-based detection methods and that commercial products often combine both approaches to detect application-level attacks. Ultimately, the choice of method depends on the importance of the information being protected and the cost-benefit analysis of each approach.