Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Buffer Overruns/flows, are they the norm?

  • 03-02-2011 11:43AM
    #1
    JimiTime
    Registered Users, Registered Users 2 Posts: 7,418 ✭✭✭


    Basically, In my place of work they have a Forigate firewall. It reports alot of buffer overflows from various software and advises installing the latest patch etc for said software.

    My question is this though, if it detects that aritrary code has been detected, does that mean that a hack has been attempted, or is it common that this can be an issue with software. I know that its a bug that CAN be exploited, but does it necessaril mean that it HAS been exploited.


Comments

  • #2
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    JimiTime wrote: »
    Basically, In my place of work they have a Forigate firewall. It reports alot of buffer overflows from various software and advises installing the latest patch etc for said software.

    My question is this though, if it detects that aritrary code has been detected, does that mean that a hack has been attempted, or is it common that this can be an issue with software. I know that its a bug that CAN be exploited, but does it necessaril mean that it HAS been exploited.

    Sorry, I am not familiar with that type of firewall, but it sounds like the fortigate firewall, also has IDS or Intrusion Detection functionality. Possibly even Intrusion Prevention too.

    I do IDS analysis and it is not always as black and white as it seems. I often get a lot of alerts saying "Possible buffer overflow" when all it is is poorly written software using very long strings

    Also, a common way of launching buffer overflow attacks is to use a NOP-sled, which is a number of NOP(no-operation) commands, followed by the exploit code. Unfortunately, some software, many of it, again poorly written, also use NOP-sleds as part of their programming, so they trigger buffer overflow alerts.

    Is the IDS on the Fortigate firewalls a proprietary solution? I have used IDS/IPS on firewalls before, but rarely found any to be of much accuracy. My advice would be to set up a Snort IDS, which is much more configurable, and 'tweakable'. Unfortunately, running an IDS is a constant job. Unlike Antivirus, where you install it and it updates itself, IDS must be constantly monitored for best results, and for many smaller organisations, it is not worth the man power or resource to devote suitable time to it.

    Has that answered your question?


  • #3
    JimiTime
    Registered Users, Registered Users 2 Posts: 7,418 ✭✭✭JimiTime


    syklops wrote: »
    Sorry, I am not familiar with that type of firewall, but it sounds like the fortigate firewall, also has IDS or Intrusion Detection functionality. Possibly even Intrusion Prevention too.

    I do IDS analysis and it is not always as black and white as it seems. I often get a lot of alerts saying "Possible buffer overflow" when all it is is poorly written software using very long strings

    Also, a common way of launching buffer overflow attacks is to use a NOP-sled, which is a number of NOP(no-operation) commands, followed by the exploit code. Unfortunately, some software, many of it, again poorly written, also use NOP-sleds as part of their programming, so they trigger buffer overflow alerts.

    Is the IDS on the Fortigate firewalls a proprietary solution? I have used IDS/IPS on firewalls before, but rarely found any to be of much accuracy. My advice would be to set up a Snort IDS, which is much more configurable, and 'tweakable'. Unfortunately, running an IDS is a constant job. Unlike Antivirus, where you install it and it updates itself, IDS must be constantly monitored for best results, and for many smaller organisations, it is not worth the man power or resource to devote suitable time to it.

    Has that answered your question?


    Really appreciate the time and detail skylops. It was a typo in my post, it is indeed a fortiGate firewall, and it does indeed have an IDS on it. Its not a proprietary solution. TBH, I'm doing a bit of backfill, and their IT is a little haphazard. I've told them that security like IDS/IPS etc is quite a special field of itself. Its just a case of finding out what I can.


  • #4
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    JimiTime wrote: »
    Really appreciate the time and detail skylops. It was a typo in my post, it is indeed a fortiGate firewall, and it does indeed have an IDS on it. Its not a proprietary solution. TBH, I'm doing a bit of backfill, and their IT is a little haphazard. I've told them that security like IDS/IPS etc is quite a special field of itself. Its just a case of finding out what I can.

    Ok, so what further information do you need? Sorry I don't quite understand what you are asking in your second post.

    Thanks.


  • #5
    JimmyCrackCorn
    Registered Users, Registered Users 2 Posts: 1,689 ✭✭✭JimmyCrackCorn


    JimiTime wrote: »
    Basically, In my place of work they have a Forigate firewall. It reports alot of buffer overflows from various software and advises installing the latest patch etc for said software.

    My question is this though, if it detects that aritrary code has been detected, does that mean that a hack has been attempted, or is it common that this can be an issue with software. I know that its a bug that CAN be exploited, but does it necessaril mean that it HAS been exploited.


    If you mean firewall warnings for attempted exploits yes. Normal day on the internet. If you watch the traffic I used to see 3-4 every five minutes.


Advertisement