IDS mailing list archives
RE: newbie quetsions
From: "Julius Detritus" <julius.detritus () ifrance com>
Date: Wed, 12 Jan 2005 19:02:11 +0100
About NSS tests:
"They're not open tests."
The NSS test methodologies are published in full.
You don't have the details of the tests (not even the "baseline" signatures).
"They're outdated."
The first IPS test was a year ago and the NSS methodology was brand new. You're right that it's mostly the same this year, save for some new exploits, but I would not consider it outdated. I don't know of a more recent or more comprehensive set of tests for a network IPS.
They are outdated. The most recent exploit tested must be two years old... They are copy and paste from IDS tests which are far older. And the whole methodology is not appropriate. IPS are not IDS. For IDS "false alarms" generated by out of session packets (like the one snot would raise on snort) are not acceptable as it would confuse administrators in their research for effective attacks. In the case of IPS it is different. OK, it was not a real attack but who cares. The purpose of IPS is to block. Who cares if it blocked attacks out of session? It was not legitimate anyway. But to understand that, you need to understand IPS, and to be used to security operations (devices management, post-mortem audits, forensics analysis and the like...)
"They largely test for things you don't care about, such as pushing
packets down a wire..."
My experience shows that organizations DO care about the things that NSS tests for: signature coverage, baseline performance, performance under load, latency, application response times, anti-evasion capabilities, stateful operation, management and configuration. I already mentioned my view about "pushing packets down the wire."
Do you really care about the phf exploit? Or maybe the old sshutupteo from gobbles? Are you talking about organizations or museums?
Bob Walder from NSS can chime in here, but my understanding is that the NSS signature coverage tests include many RPC-related exploits and their variants, run both "in the clear" and with various evasion techniques, including modified exploit code and RPC fragmentation.
Anti-evasion is Whisker (not nikto, I said whisker) and fragroute 1.2... Modified exploits are common ones with strings changed (GOBBLES to GOBBLED).
"No scientific test should be non-repeatable"
We've been able to repeat the majority of the NSS tests consistently in our lab.
So your exploit database must be very old My 0.02$ Julius _____________________________________________________________________ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: newbie quetsions Jose Maria Lopez (Jan 03)
- <Possible follow-ups>
- Re: newbie quetsions Jason (Jan 06)
- Re: newbie quetsions Dave Aitel (Jan 06)
- Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions (on how much Snort sucks) Dave Aitel (Jan 11)
- Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions Dave Aitel (Jan 06)
- RE: newbie quetsions Julius Detritus (Jan 12)
- Re: newbie quetsions Rainer Duffner (Jan 17)
- About IPS testing (was: newbie quetsions) Julius Detritus (Jan 19)
- Re: About IPS testing Tod Beardsley (Jan 24)
- Re: newbie quetsions Stefano Zanero (Jan 14)