Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Wishlist for IPS Products

Re: Wishlist for IPS Products

From: PS R <secureyourself_at_gmail.com>
Date: Fri, 17 Sep 2004 13:37:26 -0400

And what about blocking fragmented packets entirely. I would argue
that this would be an acceptable config on many networks.

Jack

On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter_at_entrusion.com> wrote:
> David,
> Can you back your claim that IPS can easily be evaded by fragging
> packets? Have you actually tested this or is it your guess?
>
> -Tony
>
>
>
>
> On Sep 12, 2004, at 12:29 AM, David Maynor wrote:
>
> > Yeah....I am gonna go ahead and disagree with you on some of these.
> >
> >> I have seen a lot of discussion about the differences between IDS,
> >> IPS, and firewalls and the potential for convergence, but I do not
> >> recall a discussion on the primary features that an IPS should have
> >> out of the box.
> >>
> >> I am thinking of:
> >> - Flow Control - limitations on flooding, unused connections, etc...
> >
> > Most of this should be handled by the signature base.
> >
> >> - Robust, ACURATE signature base
> >
> > Only way to do this and not create tons of false postives is true
> > protocol parsing. This knocks out most IPS vendors like Tipping Point.
> >
> >> - Packet capture - no debate on how much before, as that has been
> >> covered
> >> - Pre-deployment network analysis tools to accelerate deployment
> >> - Anomaly detection
> >
> > Why? I have yet to see a system that is more than a parlor trick.
> > Anomaly based system are even easier to evade than sig based systems
> > that don't do protocol parsing.
> >
> > What I would add is better tools for testing. Almost nobody grabs a
> > copy of Canvas from Immunity or Impact from Core and actually checks
> > what attacks are caught. Further more an even fewer number use modded
> > copies of public exploits to see if the claims made by vendors are
> > actually true. How many vendor's IPS implementation would actual catch
> > a MS03-026 exploit if you frag at the RPC layer at a size like 8
> > bytes?
> >
> > -----------------------------------------------------------------------
> > ---
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
> > learn more.
> > -----------------------------------------------------------------------
> > ---
> >
>
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Received on Sep 17 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]