Mailing List Archive: New "ACT" ?

New "ACT" ?

Jun 28, 2002, 12:05 PM

Post #1 of 6 (1119 views)

I already talked with Renaud about this, but maybe somebody has a
bright idea.
Currently we have 7 "categories":
#define ACT_DENIAL 6
#define ACT_DESTRUCTIVE_ATTACK 5
#define ACT_MIXED_ATTACK 4
#define ACT_ATTACK 3
#define ACT_GATHER_INFO 2
#define ACT_SCANNER 1
#define ACT_SETTINGS 0

ACT_ATTACK is supposed to be an attack that does not try to destroy
anything (e.g. stealing a file through web/FTP directory traversal)

ACT_MIXED_ATTACK an attack that _may_ destroy something, although it
was not its goal.

ACT_DESTRUCTIVE_ATTACK an attack which tries to destroy something.
And ACT_DENIAL a denial of service. Which is supposed to be different
from ACT_DESTRUCTIVE_ATTACK :-\

1. I understood that ACT_DESTRUCTIVE_ATTACK meant a DoS against a
program, and ACT_DENIAL something that killed the machine.
Renaud told me that this was not supposed to be the case.

2. So... We need IMHO another category: ACT_KILL_HOST (or any better
name) for DoS against the OS. ACT_DENIAL would be DoS against a
program / daemon / service.

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

Re: New "ACT" ? [ In reply to ]

david+cert at blue-labs

Jun 28, 2002, 12:31 PM

Post #2 of 6 (1104 views)

Might I suggest when defining denial and destructive that you attach a
level to each.

* how much service is denied, is it speciifc to a service, a machine, or
does it affect a network, this would define the ACT_KILL_HOST
* how much is destroyed and what is the general value of what is
destroyed. loss of registry is a PITA, loss of config a PITA, loss of
client records possibly disastrous

It's rather hard to define every attack such as the below list in a
linear fashion.

David

Michel Arboi wrote:

>I already talked with Renaud about this, but maybe somebody has a
>bright idea.
>Currently we have 7 "categories":
>#define ACT_DENIAL 6
>#define ACT_DESTRUCTIVE_ATTACK 5
>#define ACT_MIXED_ATTACK 4
>#define ACT_ATTACK 3
>#define ACT_GATHER_INFO 2
>#define ACT_SCANNER 1
>#define ACT_SETTINGS 0
>
>ACT_ATTACK is supposed to be an attack that does not try to destroy
>anything (e.g. stealing a file through web/FTP directory traversal)
>
>ACT_MIXED_ATTACK an attack that _may_ destroy something, although it
>was not its goal.
>
>ACT_DESTRUCTIVE_ATTACK an attack which tries to destroy something.
>And ACT_DENIAL a denial of service. Which is supposed to be different
>from ACT_DESTRUCTIVE_ATTACK :-\
>
>1. I understood that ACT_DESTRUCTIVE_ATTACK meant a DoS against a
>program, and ACT_DENIAL something that killed the machine.
>Renaud told me that this was not supposed to be the case.
>
>2. So... We need IMHO another category: ACT_KILL_HOST (or any better
>name) for DoS against the OS. ACT_DENIAL would be DoS against a
>program / daemon / service.
>
>
>

Re: New "ACT" ? [ In reply to ]

Jun 28, 2002, 12:40 PM

Post #3 of 6 (1107 views)

David Ford <david+cert@blue-labs.org> writes:

> * how much is destroyed and what is the general value of what is
> * destroyed. loss of registry is a PITA, loss of config a PITA, loss
> * of client records possibly disastrous

My problem is not currently about the fuzzy "risk level" (although I
will post something on this topic soon), but rather to respect the
timing logic in Nessus: less dangerous scripts are run first.

ACT_KILL_HOST plugins would crash the OS (or the IP stack), so, no
test could be run after them.

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

Re: New "ACT" ? [ In reply to ]

scheidell at secnap

Jun 28, 2002, 3:24 PM

Post #4 of 6 (1105 views)

I thought Denials WOULD likely kill host, so is there a need for a 7th?
is this bit masked? 0-7? maybe save it for another one?

--
Michael Scheidell
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (866) 732-6276
Main: 561-368-9561 / www.secnap.net

Re: New "ACT" ? [ In reply to ]

Jun 28, 2002, 3:31 PM

Post #5 of 6 (1109 views)

"Michael Scheidell" <scheidell@secnap.net> writes:

> I thought Denials WOULD likely kill host

That's what I believed, but if you look at the scripts, many
ACT_DENIAL just kill a service.

> so is there a need for a 7th?

Well, not sure. Maybe the only reason would be to fix just a few
scripts. There are not so many attack that can kill a system (lang,
ping'o death, plus a couple of attack that makes a service eat all
CPU...)

> is this bit masked?

No.

> 0-7? maybe save it for another one?

We have plenty of room. But many there would be some incompatibility
with old / unofficial client software. We should check...

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

Re: New "ACT" ? [ In reply to ]

Jul 7, 2002, 7:58 AM

Post #6 of 6 (1096 views)

On Fri, 28 Jun 2002, David Ford wrote:

> Might I suggest when defining denial and destructive that you attach a
> level to each.
>
> * how much service is denied, is it speciifc to a service, a machine, or
> does it affect a network, this would define the ACT_KILL_HOST
> * how much is destroyed and what is the general value of what is
> destroyed. loss of registry is a PITA, loss of config a PITA, loss of
> client records possibly disastrous

I am afraid there is no good answer to these two questions: in one
implementation a single server process spawned to handle a single
connection might crash with minimal impact on the rest of the system
while in another implementation the whole service might go down, taking
the whole system with it and corrupting your data as an extra bonus.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."