Field of use
First Functional Milestone
Juniper Networks’ NetScreen IDP appliances were widely used in corporate environments. For a firm highly specialized in offensive security but also defensive security research, IDS products and their signatures have always been an important source of information. Without reverse engineering or analyzing their internals, it is impossible to judge their true effectiveness. In some cases, determining the ability of a given product for deterring a driven adversary required accessing the signatures and detection patterns, and these were often protected.
Subreption developed an in-house application capable of parsing NetScreen IDP database updates, processing the S-Expression language in the files, decoding the signatures and applying decryption to the hidden entries that were protected (using the Blowfish cipher). This application received the tongue-in-cheek name of AntiSig.
AntiSig provided for many years privileged access to the patterns used in the signatures, allowing Subreption to narrow down the exact methods used for detection, the triggers for exploitation, and in some cases, the presence of signatures for zeroday exploits related to the CANVAS product from ImmunitySec. Whenever vendors entered agreements to give privileged data for signature development, Subreption was able to access the protected patterns hidden from users. This information provided a tangible advantage in our research and development efforts, as well as our ability to educate customers about the true level of effectiveness of IDS products.
- Parallelized downloading and processing.
- Custom S-Expression parser reducing memory footprint in half (versus third-party S-Expr library).
- Native Blowfish component for decryption.
- Loads several thousand patterns in seconds.
Filtering and integration
- Arbitrary filtering conditions to isolate signatures of interest.
- Mode for processing only hidden signatures.
- Modular components for integration in automated processes.
- The application survived multiple product updates for almost a decade.
- Several real-world IDS bypass techniques developed from analysis of the signatures.
- The team gained invaluable experience for IDS evasion and penetration testing.
Copyright and external trademarks
Trademarks, logos and brand names are the property of their respective owners. All company, product and service names referenced or mentioned in this page are for identification and fair-use purposes only, with no endorsement implied.