Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: Network hardware IPS

RE: Network hardware IPS

From: Kohlenberg, Toby <toby.kohlenberg_at_intel.com>
Date: Thu, 9 Oct 2003 00:45:18 -0700

All opinions are my own and in no way reflect the views of my employer.
responses are embedded.

> -----Original Message-----
> From: Dave Killion [mailto:Dkillion_at_netscreen.com]
> Sent: Tuesday, October 07, 2003 11:21 AM
> To: 'david maynor'; Dave Killion
> Cc: 'Stefano Zanero'; focus-ids_at_securityfocus.com
> Subject: RE: Network hardware IPS
>
>
> I wouldn't say "hardly ever", but you're right - it's difficult to get
> good contexts a majority (over 50%) of the time. Which is
> why I mentioned
> "find something unique to the attack, go for root cause, and get the
> context as specific as possible" part.

That's a great ideal. When was the last time you tried to implement a
rule
that would catch attacks against buffer overflows in HTTP servers when
the
NOP sled can change content and size, the content of the attack code can
change
content and size and the only likely constant is that it contains
cmd.exe?

Rules for specific exploits are easy- that's why worm rules are a
cakewalk.
The hard ones are the ones for the actual vulnerability the exploit is
hitting.
It is absolutely possible, it is just much harder to do without
generating the
occasional false positive.

> Anyway, anyone who's crazy enough to put "cmd.exe" in his
> path deserves
> all the False Positives he can stomach. And quoting a 5-year
> old paper on
> IDS evasion doesn't convince me.

See above. I'll take it out of the signature base if you explain to me
how you
are going to catch novel or semi-novel attacks using very specific rules
that
are looking for known patterns.

> If I can create signatures to detect the majority of important attacks
> with a minimum of false positives, to the point where
> customers will buy
> the product, then my job is successful.

Ah, but you see, that's the problem. Most of us aren't _selling_
IDS/IPS/deep_packet_inspection whatever. We actually have to _implement_

them and make them work. Which means that they not only have to _not_
produce more false positives than we can handle, they actually have to
_catch_ bad things that aren't easily and clearly defined already. Which
means
fuzziness, which means false positives. We don't get to focus on the
"majority"
of "important" attacks. Which would be the important ones? Exactly what
percentage is "the majority"?
Perhaps you didn't mean what you said because it comes across as meaning
that
you aren't interested in delivering a complete product, just the bare
minimum
necessary to get you in the door.

toby

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 10 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos