IDS mailing list archives
RE: IDS vs. IPS deployment feedback
From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Wed, 12 Apr 2006 11:10:03 -0400
Paul Schmehl wrote:
Interesting. Please provide an example of where ISS was detecting a vulnerability before snort was.
I can give you several off the top of my head: MS05-039/CVE-2005-1983 (Stack overflow in UPNP BO) MS05-021/CVE-2005-0560 (Heap overflow in the Microsoft Exchange X-LINK2STATE verb) CVE-2006-0058 (the recent race condition in the Sendmail signal handler) Granted, ISS discovered all three of these and that is why it had protection in its products before SNORT (in some cases a long time before SNORT or any other vendor). But, then I believe this is the point that Andrew was trying to make. Paul -----Original Message----- From: Paul Schmehl [mailto:pauls () utdallas edu] Sent: Monday, April 10, 2006 4:28 PM To: focus-ids () securityfocus com Subject: Re: IDS vs. IPS deployment feedback Andrew Plato wrote:
Number of rules does not equal quality of IDS/IPS technology. Or in other words, just because a IDS/IPS has a zillion rules doesn't mean those rules are any good. Or that implementing or using that technology is good. Your 500 number is wrong. When you get into the leading commercial IPSs (TippingPoint, ISS, Juniper, McAfee) these products on average have 2000-3000 signatures.
I'd be very interested to know how you would know this, since their "signatures" are proprietary. Does TP have a list of their "signatures" somewhere that I can look at? (Trust me, I've asked.)
However, in some technologies, one signature handles an entire class of vulnerabilities. Where Snort needs multiple
signatures for the same vulnerability, ISS can protect against the vulnerability with 1 signature. TP is the same.
Interesting. I use both snort and TP daily. Please explain how you know this. Please provide one single example of proof of a single TP signature that equals multiple snort signatures yet both cover only the exact same vulnerability.
I don't know Juniper and McAfee as well, but I suspect they are similar. Snort also has a lot of unique signatures that people have designed for highly specialized purposes. That is definitely a benefit to some organizations. But, those signatures are only useful in those unique situations. And all the commercial products support custom signatures - so you can do the same thing for your TP or ISS box.
Interesting. Please provide the documentation for custom signatures on TP. I could definitely use them. (I'm hoping you don't mean the fill-in-a-box GUI they provide. I'm looking for the type of customization I can only get with snort.)
Furthermore, Snort rules are developed by volunteers (or Sourcefire). As such, SNORT is usually behind the curve on new signatures. ISS, for
example, does their own independent security research an has signatures to protect against things that Snort people don't even know
about.
Interesting. Please provide an example of where ISS was detecting a vulnerability before snort was. I suspect the folks at VRT would be highly offended by the implication that they're not professional enough to recognize vulnerabilities, but I'll let them defend themselves. They're certainly an "independent security research" team.
Other vendors buy exploits from the hacker market - again giving them access
to vulnerabilities long before it hits the public and subsequently the
people who develop SNORT signatures.
Ignoring the ethics of funding the hacker market, please provide proof that Sourcefire never knows about vulnerabilities until they hit the public.
Now, I realize I sound like a ISS or TippingPoint sales person. And yes, I have a vested interest in such products because my company sells them.
Have you ever installed snort? Used it? Run it side by side with TP? Or ISS? Or both? Done any comparison tests?
But, I also know that I've seen more than a few organizations throw away Snort-based protections because the administration and management
of them was too resource intensive. And merely having 5000 signatures available does not translate to effective security.
Really? I find my snort install much more useful than the TP install for tracking down things that don't fit the cookie cutter scenarios that most IDSes work with. One-size-fits-all exploits are a dime a dozen. It's the oddballs that should get your attention, but TP doesn't "see" those (nor would I want it to. That's not its purpose.) Your analysis doesn't strike me as fact-based. Perhaps you can convince me otherwise? -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS vs. IPS deployment feedback, (continued)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 18)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Mike Barkett (Apr 13)
- Re: IDS vs. IPS deployment feedback Jason (Apr 13)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 11)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 13)
- RE: IDS vs. IPS deployment feedback Kyle Quest (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 13)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 15)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Apr 13)
- RE: IDS vs. IPS deployment feedback Gary Halleen (ghalleen) (Apr 13)
- Re: IDS vs. IPS deployment feedback Randal T. Rioux (Apr 18)
- Re: IDS vs. IPS deployment feedback Frank Knobbe (Apr 13)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 15)
- RE: IDS vs. IPS deployment feedback Biswas, Proneet (Apr 15)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 15)
- RE: IDS vs. IPS deployment feedback Mark Teicher (Apr 15)
(Thread continues...)