Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Full-disclosure] Why the IPS product designers
From: Nelson Brito <nbrito () sekure org>
Date: Wed, 2 Jun 2010 11:12:48 -0300

Ohh.. I just forgot to send you some intereting links:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
http://en.wikipedia.org/wiki/Intrusion_detection_system
http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
http://en.wikipedia.org/wiki/Network_intrusion_detection_system

Just to educate you! 8)

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG® SQL Fingerprint™ downloading it  
from Google Code (http://code.google.com/p/mssqlfp/) or from  
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an  iPhone wireless device. Please, forgive any potential  
misspellings!

On Jun 2, 2010, at 3:35 AM, "Cor Rosielle" <cor () outpost24 com> wrote:

I would say: an host IPS could be considered, even if there is a  
network
IPS. If it is a wise decision to spent your money or use your  
hardware for
this, depends from case to case. And I might even add: if someone  
tells you
different, he must be selling something.

Regards,
Cor


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-
disclosure-bounces () lists grok org uk] On Behalf Of Srinivas Naik
Sent: dinsdag 1 juni 2010 21:14
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Full-disclosure] Why the IPS product
designers

Mr. Nelson has brought a good point, Host IPS should also be running
even if
there is Nework IPS.

There are Client end Attacks which has got many Evasion techniques  
and
almost the recent research presents us the proof of such Attacks.
Apart these there exist other exploits/malware which cannot be  
detected
over
the network.

Regards,
Srinivas Naik (Certified Hacker and Forensic Investigator)
IPS Evaluator
http://groups.google.com/group/nforceit

On Tue, Jun 1, 2010 at 9:16 PM,
<full-disclosure-request () lists grok org uk>wrote:

Send Full-Disclosure mailing list submissions to
      full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
      https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
      full-disclosure-request () lists grok org uk

You can reach the person managing the list at
      full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please
trim your
post appropriately. Thank you.


Today's Topics:

 1. Re: Why the IPS product designers concentrate on  server side
    protection? why they are missing client protection (Nelson
Brito)
 2. Re: Why the IPS product designers concentrate on  server side
    protection? why they are missing client protection
    (Valdis.Kletnieks () vt edu)
 3. DoS vulnerability in Internet Explorer (MustLive)
 4. Re: Why the IPS product designers concentrate on  server side
    protection? why they are missing client protection (rajendra
prasad)
 5. Re: Why the IPS product designers concentrate     on      server
side
    protection? why they are missing client protection (Cor
Rosielle)
 6. Re: Why the IPS product designers concentrate on  server side
    protection? why they are missing client protection (Nelson
Brito)
 7. Re: Why the IPS product designers concentrate on  server side
    protection? why they are missing client protection (Nelson
Brito)
 8. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
 9. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
10. Re: Why the IPS product designers concentrate on  server side
    protection? why they are missing client protection (Cor
Rosielle)
11. Re: DoS vulnerability in Internet Explorer (PsychoBilly)
12. Re: Why the IPS product designers concentrate on  server side
    protection? why they are missing client protection (Nelson
Brito)
13. Onapsis Research Labs: Onapsis Bizploit - The opensource ERP
    Penetration Testing framework (Onapsis Research Labs)
14. Re: The_UT is repenting (T Biehn)


--- 
------------------------------------------------------------------
-

Message: 1
Date: Tue, 1 Jun 2010 08:50:05 -0300
From: Nelson Brito <nbrito () sekure org>
Subject: Re: [Full-disclosure] Why the IPS product designers
      concentrate on  server side protection? why they are missing
client
      protection
To: rajendra prasad <rajendra.palnaty () gmail com>
Cc: "full-disclosure () lists grok org uk"
      <full-disclosure () lists grok org uk>
Message-ID: <E01DF83F-4EB0-4212-8866-76DDB5C3B55B () sekure org>
Content-Type: text/plain;       charset=utf-8;  format=flowed;
delsp=yes

You're missing one point: Host IPS MUST be deployed with any Network
Security (Firewalls os NIPSs).

No security solution/technology is the miracle protection alone, so
that's the reason everybody is talking about defense in depth.

Cheers.

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG? SQL Fingerprint? downloading it
from Google Code (http://code.google.com/p/mssqlfp/) or from
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an ? iPhone wireless device. Please, forgive any potential
misspellings!

On Jun 1, 2010, at 4:38 AM, rajendra prasad
<rajendra.palnaty () gmail com> wrote:

Hi List,

I am putting my thoughts on this, please share your thoughts,
comments.

Request length is less than the response length.So, processing
small
amount of data is better than of processing bulk data. Response may
have encrypted data. Buffering all the client-server transactions
and validating signatures on them is difficult. Even though
buffered, client data may not be in the plain text. Embedding all
the client encryption/decryption process on the fly is not
possible,
even though ips gathered key values of clients.Most of the client
protection is done by anti-virus. So, concentrating client attacks
at IPS level is not so needed.


Thanks
Rajendra


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



------------------------------

Message: 2
Date: Tue, 01 Jun 2010 08:34:22 -0400
From: Valdis.Kletnieks () vt edu
Subject: Re: [Full-disclosure] Why the IPS product designers
      concentrate on  server side protection? why they are missing
client
      protection
To: rajendra prasad <rajendra.palnaty () gmail com>
Cc: full-disclosure () lists grok org uk
Message-ID: <14206.1275395662 () localhost>
Content-Type: text/plain; charset="us-ascii"

On Tue, 01 Jun 2010 13:08:32 +0530, rajendra prasad said:

Request length is less than the response length.So, processing
small
amount
of data is better than of processing bulk data. Response may have
encrypted
data. Buffering all the client-server transactions and validating
signatures
on them is difficult.

All of that is total wanking.  The *real* reason why IPS product
designers
concentrate on servers is because hopefully the server end is run by
some
experienced people with a clue, and maybe even hardened to last more
than
35 seconds when a hacker attacks.  Meanwhile, if anybody designed an
IPS
for
the client end, it would just get installed on an end-user PC  
running
Windows,
where it will have all the issues and work just as well as any other
anti-malware software on an end-user PC.

Oh - and there's also the little detail that a site is more likely  
to
buy
*one* software license to run on their web server (or whatever),
rather
than
the hassle of buying and administering 10,000 end-user licenses.
Especially
when an IPS on the client end doesn't actually tell you much about
attacks
against the valuable target (the server) from machines you haven't
installed
the end-user IPS on (like the entire rest of the Internet).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
Url :
http://lists.grok.org.uk/pipermail/full-
disclosure/attachments/20100601/0896c76b/attachment-0001.bin

------------------------------

Message: 3
Date: Tue, 1 Jun 2010 15:42:58 +0300
From: "MustLive" <mustlive () websecurity com ua>
Subject: [Full-disclosure] DoS vulnerability in Internet Explorer
To: <full-disclosure () lists grok org uk>
Message-ID: <005e01cb0188$162059b0$010000c0 () ml>
Content-Type: text/plain; format=flowed; charset="windows-1251";
      reply-type=response

Hello Full-Disclosure!

I want to warn you about Denial of Service vulnerability in Internet
Explorer. Which I already disclosed at my site in 2008 (at
29.09.2008). But
recently I made new tests concerning this vulnerability, so I  
decided
to
remind you about it.

I know this vulnerability for a long time - it's well-known DoS in
IE. It
works in IE6 and after release of IE7 I hoped that Microsoft fixed
this
hole
in seventh version of the browser. But as I tested at 29.09.2008,  
IE7
was
also vulnerable to this attack. And as I tested recently, IE8 is  
also
vulnerable to this attack.

Also I informed Microsoft at 01.10.2008 about it, but they ignored
and
didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor
in IE8.

That time I published about this vulnerability at SecurityVulns
(http://securityvulns.com/Udocument636.html).

DoS:

Vulnerability concerned with handling by browser of expression in
styles,
which leads to blocking of work of IE.

http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html

Vulnerable versions are Internet Explorer 6 (6.0.2900.2180),  
Internet
Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385)  
and
previous versions.

To Susan Bradley from Bugtraq:

This is one of those cases, which I told you before, when browser
vendors
ignore to fix DoS holes in their browsers for many years.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua



------------------------------

Message: 4
Date: Tue, 1 Jun 2010 18:28:03 +0530
From: rajendra prasad <rajendra.palnaty () gmail com>
Subject: Re: [Full-disclosure] Why the IPS product designers
      concentrate on  server side protection? why they are missing
client
      protection
To: full-disclosure () lists grok org uk
Message-ID:
      <AANLkTinFeCKoKUNI59k2citWgTJlytqjRiZ8Ze8oM1rp () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Hi List,

I have started this discussion with respect to Network IPS.

Thanks
Rajendra

On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad
<rajendra.palnaty () gmail com>wrote:

Hi List,

I am putting my thoughts on this, please share your thoughts,
comments.

Request length is less than the response length.So, processing
small
amount
of data is better than of processing bulk data. Response may have
encrypted
data. Buffering all the client-server transactions and validating
signatures
on them is difficult. Even though buffered, client data may not be
in the
plain text. Embedding all the client encryption/decryption process
on the
fly is not possible, even though ips gathered key values of
clients.Most
of
the client protection is done by anti-virus. So, concentrating
client
attacks at IPS level is not so needed.


Thanks
Rajendra



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.grok.org.uk/pipermail/full-
disclosure/attachments/20100601/0cb18940/attachment-0001.html

------------------------------

Message: 5
Date: Tue, 1 Jun 2010 14:52:51 +0200
From: "Cor Rosielle" <cor () outpost24 com>
Subject: Re: [Full-disclosure] Why the IPS product designers
      concentrate     on      server side protection? why they are
missing
client
      protection
To: "'Nelson Brito'" <nbrito () sekure org>
Cc: full-disclosure () lists grok org uk
Message-ID: <003001cb0189$5962ddf0$0c2899d0$ () com>
Content-Type: text/plain;       charset="UTF-8"

Nelson,

You're missing one point: Host IPS MUST be deployed with any
Network
Security (Firewalls os NIPSs).
Please be aware this is a risk decision and not a fact. I don't use
an host
IPS and no anti Virus either. Still I'm sure my laptop is perfectly
safe.
This is because I do critical thinking about security measures and
don't
copy behavior of others (who often don't think for themselves and
just
copies other peoples behavior). Please note I'm not saying you're  
not
thinking. If you did some critical thinking and an host IPS is a  
good
solution for you, then that's OK> It just doesn't mean it is a good
solution
for everybody else and everybody MUST deploy an host IPS.

No security solution/technology is the miracle protection alone,
That's true.

so that's the reason everybody is talking about defense in depth.
Defense in depth is often used for another line of a similar defense
mechanism as the previous already was. Different layers of defense
works
best if the defense mechanism differ. So if you're using anti virus
software
(which gives you an authentication control and an alarm control
according to
the OSSTMM), then an host IDS is not the best additional security
measure
(because this also gives you an authentication and an alarm  
control).
This would also be a risk decision, but based on facts and the rules
defined in the OSSTMM and not based on some marketing material. You
should
give it a try.

Regards,
Cor Rosielle

w: www.lab106.com



------------------------------

Message: 6
Date: Tue, 1 Jun 2010 10:27:48 -0300
From: Nelson Brito <nbrito () sekure org>
Subject: Re: [Full-disclosure] Why the IPS product designers
      concentrate on  server side protection? why they are missing
client
      protection
To: rajendra prasad <rajendra.palnaty () gmail com>
Cc: "full-disclosure () lists grok org uk"
      <full-disclosure () lists grok org uk>
Message-ID: <76444513-375E-472C-A3CA-8F4A9776EDD4 () sekure org>
Content-Type: text/plain; charset="utf-8"

Okay, but why did you mention AV as a client-side protection?

It leads to a discussion about client-side protection, anyways.

Cheers.

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG? SQL Fingerprint? downloading it
from Google Code (http://code.google.com/p/mssqlfp/) or from
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an ? iPhone wireless device. Please, forgive any potential
misspellings!

On Jun 1, 2010, at 9:58 AM, rajendra prasad
<rajendra.palnaty () gmail com> wrote:

Hi List,

I have started this discussion with respect to Network IPS.

Thanks
Rajendra

On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad <
rajendra.palnaty () gmail com
wrote:
Hi List,

I am putting my thoughts on this, please share your thoughts,
comments.

Request length is less than the response length.So, processing
small
amount of data is better than of processing bulk data. Response may
have encrypted data. Buffering all the client-server transactions
and validating signatures on them is difficult. Even though
buffered, client data may not be in the plai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault