Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: IDS alerts / second - Correlation - Virtualization

Re: IDS alerts / second - Correlation - Virtualization

From: Jason <security_at_brvenik.com>
Date: Fri, 29 Jul 2005 16:14:40 -0400

The simple answer is because this mail would have never reached us and
likely will not reach many already.

CAT /ETC/PASSWD is also a perfectly valid Unix command on some systems
in all caps.

Do you think that this mail can be processed and confidently assured to
be safe?

william taft wrote:
> On 7/26/05, Swift, David <dswift_at_ipolicynetworks.com> wrote:
>
>>And how would you propose to block something you can't detect?
>>
>>IPS actions are always on patterns of data, either packet level, or
>>based on anomalous behavior (statistical, historical, protocol...).
>>
>>To argue otherwise is incomprehensible.
>>
>
>
> why -not- block something you can't understand? why are we giving up
> on using tools other than firwewalls/IPS (i prefer 'layer 7 firewall'
> to 'ips')? handshaking does exist beyond TCP...applications,
> authentication protocols, etc. all have 'handshakes'. if you
> authorize enough basic application traffic (i'll bet most of us use
> only a handful of applications anyway), i think you'll probably close
> many gaps. IPS/layer7 firewall isn't the answer, but something must
> be out there for this purpose.
>
> On 7/26/05, Swift, David <dswift_at_ipolicynetworks.com> continues:
>
>>RDP is an allowed protocol to Windows. A Null Session is perfectly
>>legitimate to Windows operating system. CAT /ETC/PASSWD is a
>>perfectly valid Unix command.
>
>
> you've lost me here...are you saying that just to jam a square
> technology into a round role? you'd allow any access to /etc/passwd
> from the outside into your DMZ? from a non-administrative workstation
> to a server? i wouldn't. why not block traffic you're not supposed
> to see? yes, block requests to /etc/passwd (and other naughty
> actions) across all ports from the outside world into your dmz. why
> wouldn't you?
>
> /will
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Aug 01 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]