@brad_H said:
@anton_bassov said:
… snip …
Take CVE-2017-0144 for example, a remote attacker can gain kernel code execution by exploiting the SMB vulnerability, so if we let some SMB packets slide on a vulnerable machine and inspect them with a delay, then the shellcode is already execute in the kernel. So if we inspect it, and only if it was OK let it go through, then this attack would fail, but if we let it go through and inspect it later on then its already too late.
Umm … no …
The SMB vulnerability was not a function of the data in the packet, it was a program “mistake” that was triggered by the contents of the packet … there’s a big difference between the two that it’s important to understand …
Remember, data in a packet is just that: data. How that data is used by the recipient program is entirely up to the recipient. In the FTP example I cited earlier, the FTP data itself was just that, data … it’s how the FTP program used that data that caused the problem, as with the SMB attack. The data itself was blameless, it was the recipient program that had the problem …
What this means for your packet scanning is that it’s not enough for you to simply scan for a data pattern (like the SMB packet), you also need to know that that packet is going to a recipient program which has an flaw when it gets that packet, which is basically impossible for you to know from the scanner …
If you’re going to be filtering out all packets which might cause problems for some recipient program then as @Anton said you’re writing a firewall, not a packet scanner. If you’re going to be filtering out packets which you know to be causing problems then you’re again writing a firewall …
The only real value in a packet scanner is actually for indicators of compromise in a command and control chain, and that’s going to be extremely tough to find as those are heavily obfuscated (and there are companies filled with entire buildings full of engineers working on that kind of scanning) …
Hmmm … and we’ve really veered far off into the weeds from the original question, so I’ll go back to my WFP experiment now …