IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS alerts / second - Correlation - Virtualization

From: Jason <security () brvenik com>
Date: Fri, 29 Jul 2005 16:14:40 -0400
The simple answer is because this mail would have never reached us and likely will not reach many already.
CAT /ETC/PASSWD is also a perfectly valid Unix command on some systems in all caps.
Do you think that this mail can be processed and confidently assured to be safe? 

william taft wrote:

On 7/26/05, Swift, David <dswift () ipolicynetworks com> wrote:


And how would you propose to block something you can't detect?

IPS actions are always on patterns of data, either packet level, or
based on anomalous behavior (statistical, historical, protocol...).

To argue otherwise is incomprehensible.




why -not- block something you can't understand?  why are we giving up
on using tools other than firwewalls/IPS (i prefer 'layer 7 firewall'
to 'ips')?  handshaking does exist beyond TCP...applications,
authentication protocols, etc. all have 'handshakes'.  if you
authorize enough basic application traffic (i'll bet most of us use
only a handful of applications anyway), i think you'll probably close
many gaps.  IPS/layer7 firewall isn't the answer, but something must
be out there for this purpose.

On 7/26/05, Swift, David <dswift () ipolicynetworks com> continues:


RDP is an allowed protocol to Windows. A Null Session is perfectly
legitimate to Windows operating system.  CAT /ETC/PASSWD is a
perfectly valid Unix command.



you've lost me here...are you saying that just to jam a square
technology into a round role?  you'd allow any access to /etc/passwd
from the outside into your DMZ?  from a non-administrative workstation
to a server?  i wouldn't.  why not block traffic you're not supposed
to see?  yes, block requests to /etc/passwd (and other naughty
actions) across all ports from the outside world into your dmz.  why
wouldn't you?

/will

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: