Re: Mod FWD

[Richard Jones <richard () earthmen com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Keiji Takeda <keiji () sfc keio ac jp> writes:

> When I did the testing.  I used both of RealSecure 3.2 and 5.0
>
> 3.2 genarated the alarm you mentioned that simply warns
> receving fragmented packet.
>
> However 5.0 launched an alarm that came from the result of
> packet reconstruction.
>
> When I tested fragmented /cgi-bin/phf attack
>  these two versions generated different alarms.
> One is about fragmentation itself(3.2) the other
> is about reconstructed /cgi-bin/phf(5.0).
>
> Isn't this 5.0 enough as an networkbased IDS? 

It raises questions as to how much you can trust a product which took
four years to reach what other vendors consider a minimum starting
point.  It indicates a design process driven by marketing rather than
actually protecting customers' networks.  If reviews hadn't begun
making fragmentation reassembly an issue I wonder if some vendors
would have bothered implementing it.  Unfortunately marketing will
always dictate the subset of features a product implements.  IDS
designers however have a responsibility to customers to implement a
core technology capable of doing the job.  IP frag reassembly is part
of this core.  Vendors who have released (or will release) products
which don't do it are simply foisting defective products upon
unsuspecting consumers.

Richard.