IDS mailing list archives
Re: IDS alerts / second - Correlation - Virtualization
From: Jason <security () brvenik com>
Date: Fri, 29 Jul 2005 16:14:40 -0400
The simple answer is because this mail would have never reached us and likely will not reach many already.
CAT /ETC/PASSWD is also a perfectly valid Unix command on some systems in all caps.
Do you think that this mail can be processed and confidently assured to be safe?
william taft wrote:
On 7/26/05, Swift, David <dswift () ipolicynetworks com> wrote:And how would you propose to block something you can't detect? IPS actions are always on patterns of data, either packet level, or based on anomalous behavior (statistical, historical, protocol...). To argue otherwise is incomprehensible.why -not- block something you can't understand? why are we giving up on using tools other than firwewalls/IPS (i prefer 'layer 7 firewall' to 'ips')? handshaking does exist beyond TCP...applications, authentication protocols, etc. all have 'handshakes'. if you authorize enough basic application traffic (i'll bet most of us use only a handful of applications anyway), i think you'll probably close many gaps. IPS/layer7 firewall isn't the answer, but something must be out there for this purpose. On 7/26/05, Swift, David <dswift () ipolicynetworks com> continues:RDP is an allowed protocol to Windows. A Null Session is perfectly legitimate to Windows operating system. CAT /ETC/PASSWD is a perfectly valid Unix command.you've lost me here...are you saying that just to jam a square technology into a round role? you'd allow any access to /etc/passwd from the outside into your DMZ? from a non-administrative workstation to a server? i wouldn't. why not block traffic you're not supposed to see? yes, block requests to /etc/passwd (and other naughty actions) across all ports from the outside world into your dmz. why wouldn't you? /will ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 01)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 03)
- Re: IDS alerts / second - Correlation - Virtualization Jason (Aug 02)
- Re: IDS alerts / second - Correlation - Virtualization Devdas Bhagat (Aug 02)