Presentation Material

Abstract

Intrusion detection systems that work at the application layer appear to be the next new wave of security products to hit the market. As with network IDSs, some of the products in the application security space work with signatures, while others are anomaly based. This presentation looks at typical patterns produced by some of the more common web application attacks—SQL injection, cross-site scripting, directory traversal, buffer overflows, etc. It discusses how these attacks can be matched using regular expression based signatures on the Snort IDS. However, the difficult part comes in trying to write signatures that cannot be easily evaded, while still keeping false positives at an acceptable level.

Advanced attacks to try and evade these signatures and modifications to the original set of signatures are discussed. The original concept is expanded to use these signatures with mod_security for Apache, and SecureIIS for IIS. We then discuss the security attacks that cannot be detected by signature-based methods. Anomaly-based methods of detecting web application attacks are also briefly covered.

The attendees are expected to be familiar with regular expressions and the basics of typical web application attacks.