IDS mailing list archives
Re: Network hardware IPS
From: "Stefano Zanero" <zanero () elet polimi it>
Date: Tue, 7 Oct 2003 10:05:44 +0200
Real world example: If I see "cmd.exe" in a URL, I will, every time, detect a malicious act.
And if someone inserts in their home directory a /cmd.exe/ path you will get flooded by false positives. While, if you refer to many other attacks that can be spotted into the URL, if the URL is encoded you may miss them, unless you make very general signatures... and so on. I am not discussing the fact that for some specific signatures, in some specific environment, the ROC curve may show a lucky plateau, allowing it to improve (up to a point) DR with no (visible) growth of FP. But it's a drop in the ocean ;)
Fragments vs. packets vs. stream - you need to see it as the victim would. Encoding attacks, fragment overlap attacks, etc - all come out in the wash if you parse it the same as the victim.
It's been proven that it's not that easy. Please see Thomas H. Ptacek and Timothy N. Newsham., "Insertion, Evasion, And Denial Of Service: Eluding Network Intrusion Detection," Technical Report, Secure Networks, Inc., January 1998.
Polymorphic attacks are very interesting and all, but when it comes down to it, they are a very small minority.
ADMutate, anyone ?
In order to exploit the new DCOM vulnerability, you need to open a REMACT binding. This is hard-coded and can't be morphed.
Yes. And unfamiliar as I am with the DCOM protocol: isn't REMACT also used in the normal operation of the protocol ?
There's a variety, but still finite number of ways to make an x86 No-Op slide.
It's countable, not finite. Hardly the same thing.
You *can* reduce FP without impacting DR. If I didn't believe that, I'd not have a job.
If everyone believed that, I wouldn't have mine ^_^ Stefano --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- Re: Network hardware IPS, (continued)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)
- RE: Network hardware IPS Frank Knobbe (Oct 14)