Feeds

Snort team aim to scent malformed email attachments

Razorback, the truffle-hog with a forensic back end

Top 5 reasons to deploy VMware with Tegile

Interview The developers behind Snort, the open source intrusion detection system, are pushing ahead with a project to develop a system for detecting malformed documents in a bid to provide early warnings about targeted attacks.

Razorback is designed to complement traditional anti-virus products by providing a warning about maliciously constructed files that may take advantage of zero-day vulnerabilities to compromise targeted machines. Such previously unseen attacks are liable to slip by anti-virus and other security defences because no anti-virus signature has yet been created, and because heuristics and even cloud-based approaches are still fundamentally reactive, according to Marty Roesch, CTO of Sourcefire and the developer of Snort.

Roesch told El Reg that firewalls and IDS systems are designed to have high throughput and low latency, so these security devices are ill-suited to analysis of documents – the niche Razorback is trying to occupy. Razorback would offer "deep file inspection" with a forensics backend that provides near-real-time warning that something is amiss, for example, in an email sent to a firm's finance department. The document analysing software does not include a blocking function but "lets you know where to look and what to look for", according to Roesch, who said the technology offered software hooks to Snort and Clam AV.

The software includes a protocol anomaly detector that, for example, would detect Flash components in an Excel file. These flash components are passed on to parts of the technology that understand Flash files. If these handlers say that the file concerned is not a Flash file, then an alert would be generated that a malformed Flash file was found in a spreadsheet, a clear sign that something very odd and probably malign is going on. The approach doesn't rely on looking for patterns matching previously known bad stuff.

The idea is akin to data loss prevention (DLP) technology used for locking down USB ports and preventing the accidental or deliberate export of confidential data via email or other routes, it seems to us. However Roesch said DLP technology would be hard to apply to the detection of "zero-day" document-based targeted attacks, because it doesn't look for "heap sprays or buffer overflow" attacks (Razorback's particular forte).

Adding deep file inspection to client and server anti-virus, intrusion prevention and content inspection adds to the complexity of overall security set-ups, especially when much of this technology is designed to thwart targeted malware-based attacks. Roesch countered that higher-end enterprises had already seen the benefit of the extra line of defence.

Roesch said that Razorback is currently in the alpha stage of development. "The technology might be adapted over time to quarantine or stop suspicious files but that's not its function just now," Roesch added.

More about the project can be found on the Sourcefire labs portal here. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.