Case study

AntiSig (Juniper Networks NetScreen IDP Signature Analysis)

AntiSig was developed for internal use to extract and process the IDS (Intrusion Detection System) signatures for the Juniper Networks’ NetScreen IDP family of IDS appliances, including decryption of hidden (protected) signatures. This allowed Subreption to obtain at-will access to the actual detection patterns, as well as triggers for zeroday and n-day vulnerabilities.

AntiSig (Juniper Networks NetScreen IDP Signature Analysis)
  • Field of use

    Information Assurance

  • Initial Development

    2007

  • First Functional Milestone

    2007

  • EOL

    2013

  • Distribution

    Internal

  • S/LOC

    5,929

  • Languages
    • C#
    • C
Problem

Juniper Networks’ NetScreen IDP appliances were widely used in corporate environments. For a firm highly specialized in offensive security but also defensive security research, IDS products and their signatures have always been an important source of information. Without reverse engineering or analyzing their internals, it is impossible to judge their true effectiveness. In some cases, determining the ability of a given product for deterring a driven adversary required accessing the signatures and detection patterns, and these were often protected.

Solution

Subreption developed an in-house application capable of parsing NetScreen IDP database updates, processing the S-Expression language in the files, decoding the signatures and applying decryption to the hidden entries that were protected (using the Blowfish cipher). This application received the tongue-in-cheek name of AntiSig.

Result

AntiSig provided for many years privileged access to the patterns used in the signatures, allowing Subreption to narrow down the exact methods used for detection, the triggers for exploitation, and in some cases, the presence of signatures for zeroday exploits related to the CANVAS product from ImmunitySec. Whenever vendors entered agreements to give privileged data for signature development, Subreption was able to access the protected patterns hidden from users. This information provided a tangible advantage in our research and development efforts, as well as our ability to educate customers about the true level of effectiveness of IDS products.

Fast processing
  • Parallelized downloading and processing.
  • Custom S-Expression parser reducing memory footprint in half (versus third-party S-Expr library).
  • Native Blowfish component for decryption.
  • Loads several thousand patterns in seconds.
Filtering and integration
  • Arbitrary filtering conditions to isolate signatures of interest.
  • Mode for processing only hidden signatures.
  • Modular components for integration in automated processes.
Reliable
  • The application survived multiple product updates for almost a decade.
  • Several real-world IDS bypass techniques developed from analysis of the signatures.
  • The team gained invaluable experience for IDS evasion and penetration testing.
Copyright and external trademarks

Trademarks, logos and brand names are the property of their respective owners. All company, product and service names referenced or mentioned in this page are for identification and fair-use purposes only, with no endorsement implied.