IDS mailing list archives
Re: Wishlist for IPS Products
From: David Maynor <dmaynor () gmail com>
Date: Mon, 20 Sep 2004 18:30:15 -0400
The fragmentation is at the RPC layer and not the IP layer, what device is going to block that? On Fri, 17 Sep 2004 13:37:26 -0400, PS R <secureyourself () gmail com> wrote:
And what about blocking fragmented packets entirely. I would argue that this would be an acceptable config on many networks. Jack On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter () entrusion com> wrote:David, Can you back your claim that IPS can easily be evaded by fragging packets? Have you actually tested this or is it your guess? -Tony On Sep 12, 2004, at 12:29 AM, David Maynor wrote:Yeah....I am gonna go ahead and disagree with you on some of these.I have seen a lot of discussion about the differences between IDS, IPS, and firewalls and the potential for convergence, but I do not recall a discussion on the primary features that an IPS should have out of the box. I am thinking of: - Flow Control - limitations on flooding, unused connections, etc...Most of this should be handled by the signature base.- Robust, ACURATE signature baseOnly way to do this and not create tons of false postives is true protocol parsing. This knocks out most IPS vendors like Tipping Point.- Packet capture - no debate on how much before, as that has been covered - Pre-deployment network analysis tools to accelerate deployment - Anomaly detectionWhy? I have yet to see a system that is more than a parlor trick. Anomaly based system are even easier to evade than sig based systems that don't do protocol parsing. What I would add is better tools for testing. Almost nobody grabs a copy of Canvas from Immunity or Impact from Core and actually checks what attacks are caught. Further more an even fewer number use modded copies of public exploits to see if the claims made by vendors are actually true. How many vendor's IPS implementation would actual catch a MS03-026 exploit if you frag at the RPC layer at a size like 8 bytes? ----------------------------------------------------------------------- --- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ----------------------------------------------------------------------- ----------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Wishlist for IPS Products PS R (Sep 11)
- Re: Wishlist for IPS Products - HYBRID IPS Andy Cuff (Sep 14)
- Re: Wishlist for IPS Products Srinivasa Rao Addepalli (Sep 14)
- Re: Wishlist for IPS Products David Maynor (Sep 14)
- Re: Wishlist for IPS Products PS R (Sep 14)
- Re: Wishlist for IPS Products Tony Carter (Sep 17)
- Re: Wishlist for IPS Products PS R (Sep 17)
- Re: Wishlist for IPS Products David Maynor (Sep 21)
- Re: Wishlist for IPS Products David Maynor (Sep 20)
- Re: Wishlist for IPS Products David Maynor (Sep 22)
- Re: Wishlist for IPS Products PS R (Sep 24)
- Re: Wishlist for IPS Products David Maynor (Sep 20)
- <Possible follow-ups>
- RE: Wishlist for IPS Products Paine, Steve (Sep 14)
- Fwd: Re: Wishlist for IPS Products Craig M. Taylor (Sep 27)