Feeds

Snort team aim to scent malformed email attachments

Razorback, the truffle-hog with a forensic back end

Protecting against web application threats using SSL

Interview The developers behind Snort, the open source intrusion detection system, are pushing ahead with a project to develop a system for detecting malformed documents in a bid to provide early warnings about targeted attacks.

Razorback is designed to complement traditional anti-virus products by providing a warning about maliciously constructed files that may take advantage of zero-day vulnerabilities to compromise targeted machines. Such previously unseen attacks are liable to slip by anti-virus and other security defences because no anti-virus signature has yet been created, and because heuristics and even cloud-based approaches are still fundamentally reactive, according to Marty Roesch, CTO of Sourcefire and the developer of Snort.

Roesch told El Reg that firewalls and IDS systems are designed to have high throughput and low latency, so these security devices are ill-suited to analysis of documents – the niche Razorback is trying to occupy. Razorback would offer "deep file inspection" with a forensics backend that provides near-real-time warning that something is amiss, for example, in an email sent to a firm's finance department. The document analysing software does not include a blocking function but "lets you know where to look and what to look for", according to Roesch, who said the technology offered software hooks to Snort and Clam AV.

The software includes a protocol anomaly detector that, for example, would detect Flash components in an Excel file. These flash components are passed on to parts of the technology that understand Flash files. If these handlers say that the file concerned is not a Flash file, then an alert would be generated that a malformed Flash file was found in a spreadsheet, a clear sign that something very odd and probably malign is going on. The approach doesn't rely on looking for patterns matching previously known bad stuff.

The idea is akin to data loss prevention (DLP) technology used for locking down USB ports and preventing the accidental or deliberate export of confidential data via email or other routes, it seems to us. However Roesch said DLP technology would be hard to apply to the detection of "zero-day" document-based targeted attacks, because it doesn't look for "heap sprays or buffer overflow" attacks (Razorback's particular forte).

Adding deep file inspection to client and server anti-virus, intrusion prevention and content inspection adds to the complexity of overall security set-ups, especially when much of this technology is designed to thwart targeted malware-based attacks. Roesch countered that higher-end enterprises had already seen the benefit of the extra line of defence.

Roesch said that Razorback is currently in the alpha stage of development. "The technology might be adapted over time to quarantine or stop suspicious files but that's not its function just now," Roesch added.

More about the project can be found on the Sourcefire labs portal here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.