RE: Network hardware IPS

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

All opinions are my own and in no way reflect the views of my employer.
responses are embedded.

> -----Original Message-----
> From: Dave Killion [mailto:Dkillion () netscreen com] 
> Sent: Tuesday, October 07, 2003 11:21 AM
> To: 'david maynor'; Dave Killion
> Cc: 'Stefano Zanero'; focus-ids () securityfocus com
> Subject: RE: Network hardware IPS
>
>
> I wouldn't say "hardly ever", but you're right - it's difficult to get
> good contexts a majority (over 50%) of the time.  Which is 
> why I mentioned
> "find something unique to the attack, go for root cause, and get the
> context as specific as possible" part.

That's a great ideal. When was the last time you tried to implement a
rule
that would catch attacks against buffer overflows in HTTP servers when
the
NOP sled can change content and size, the content of the attack code can
change
content and size and the only likely constant is that it contains
cmd.exe?

Rules for specific exploits are easy- that's why worm rules are a
cakewalk.
The hard ones are the ones for the actual vulnerability the exploit is
hitting.
It is absolutely possible, it is just much harder to do without
generating the
occasional false positive.

> Anyway, anyone who's crazy enough to put "cmd.exe" in his 
> path deserves
> all the False Positives he can stomach.  And quoting a 5-year 
> old paper on
> IDS evasion doesn't convince me.

See above. I'll take it out of the signature base if you explain to me
how you
are going to catch novel or semi-novel attacks using very specific rules
that
are looking for known patterns.

> If I can create signatures to detect the majority of important attacks
> with a minimum of false positives, to the point where 
> customers will buy
> the product, then my job is successful.

Ah, but you see, that's the problem. Most of us aren't _selling_ 
IDS/IPS/deep_packet_inspection whatever. We actually have to _implement_

them and make them work. Which means that they not only have to _not_ 
produce more false positives than we can handle, they actually have to 
_catch_ bad things that aren't easily and clearly defined already. Which
means
fuzziness, which means false positives. We don't get to focus on the
"majority"
of "important" attacks. Which would be the important ones? Exactly what
percentage is "the majority"?
Perhaps you didn't mean what you said because it comes across as meaning
that
you aren't interested in delivering a complete product, just the bare
minimum
necessary to get you in the door.

toby

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------