Typical inline IDS/IPS devices follow the approach of normalization of
IP fragments, TCP out-of-sequence packets and others. Since it is in
line of traffic, this is possible to do and I guess most of IDS/IPS
devices do this.
If IDS/IPS devices are doing analysis on sniffed traffic, then profiling
of target and normalizing the traffic based on the target are very
important to do further analysis on the traffic.
Srini
-----Original Message-----
From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
On Behalf Of Steve Reinhardt
Sent: Wednesday, December 19, 2007 5:15 PM
To: focus-ids_at_securityfocus.com
Subject: Preventing layer 3/4 evasions
I'm curious about the market status quo and trends in the area of how
network IDS/IPS products are dealing with layer 3/4 evasion techniques
(a la Ptacek & Newsham: ambiguous segmentation & fragmentation, ttl
tricks, etc.). The Handley/Paxson/Kreibich paper from Usenix01 lists
three approaches (not counting "use a host-based IDS" :-) ):
1. inline normalization
2. profiling the intranet and using target-specific algorithms
3. bifurcating analysis
From what I've read, Snort is going route #2, with the Sourcefire RNA
system doing the profiling.
- Is there any public information regarding which approach (if any)
other commercial systems are using?
- Does Snort's decision indicate any sort of consensus that #2 is the
best approach, or would that be considered controversial? (Clearly #3
isn't practical as a general technique, but the Handley paper seems to
make a good case for #1.)
- Do you all feel that existing approaches (like Snort's, or perhaps
some commercial implementation of #1) are adequate, or is there a need
for a more robust solution?
Basically we've had some ideas in this space and are trying to figure
out whether they're worth pursuing... guess I should add "If so, how
much would you pay for it?" to the last question :-).
Thanks!
Steve
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
************************************************************************
********
This email message (including any attachments) is for the sole use of
the intended recipient(s)
and may contain confidential, proprietary and privileged information.
Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the
intended recipient,
please immediately notify the sender by reply email and destroy all
copies of the original message.
Thank you.
Intoto Inc.
********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
Intoto Inc.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Received on Dec 26 2007
Intro
