RE: newbie quetsions

["Julius Detritus" <julius.detritus () ifrance com>]

About NSS tests:

> > "They're not open tests."

> The NSS test methodologies are published in full.

You don't have the details of the tests (not even the "baseline"
signatures).

> > "They're outdated."
 
> The first IPS test was a year ago and the NSS methodology was brand new.
> You're right that it's mostly the same this year, save for some new
> exploits, but I would not consider it outdated.  I don't know of a more
> recent or more comprehensive set of tests for a network IPS.

They are outdated. The most recent exploit tested must be two years old...
They are copy and paste from IDS tests which are far older. 

And the whole methodology is not appropriate. IPS are not IDS.

For IDS "false alarms" generated by out of session packets (like the one
snot would raise on snort) are not acceptable as it would confuse
administrators in their research for effective attacks.

In the case of IPS it is different. OK, it was not a real attack but who
cares. The purpose of IPS is to block. Who cares if it blocked attacks out
of session? It was not legitimate anyway.

But to understand that, you need to understand IPS, and to be used to
security operations (devices management, post-mortem audits, forensics
analysis and the like...)

> > "They largely test for things you don't care about, such as pushing
packets down a wire..."
 
> My experience shows that organizations DO care about the things that NSS
> tests for: signature coverage, baseline performance, performance under
> load, latency, application response times, anti-evasion capabilities,
> stateful operation, management and configuration.  I already  mentioned my
> view about "pushing packets down the wire."

Do you really care about the phf exploit? Or maybe the old sshutupteo from
gobbles? Are you talking about organizations or museums?

> Bob Walder from NSS can chime in here, but my understanding is that the NSS
> signature coverage tests include many RPC-related exploits and their
> variants, run both "in the clear" and with various evasion techniques,
> including modified exploit code and RPC fragmentation.

Anti-evasion is Whisker (not nikto, I said whisker) and fragroute 1.2...

Modified exploits are common ones with strings changed (GOBBLES to GOBBLED).

> > "No scientific test should be non-repeatable"

> We've been able to repeat the majority of the NSS tests consistently in our
> lab.  

So your exploit database must be very old

My 0.02$

Julius


_____________________________________________________________________

Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------