IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS vs. IPS deployment feedback

From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 12 Apr 2006 10:55:03 -0500
Palmer, Paul (ISSAtlanta) wrote:

Paul Schmehl wrote:


Interesting.  Please provide an example of where ISS was detecting a
vulnerability before snort was.


I can give you several off the top of my head:

MS05-039/CVE-2005-1983 (Stack overflow in UPNP BO)
MS05-021/CVE-2005-0560 (Heap overflow in the Microsoft Exchange
X-LINK2STATE verb)
CVE-2006-0058 (the recent race condition in the Sendmail signal handler)

Granted, ISS discovered all three of these and that is why it had
protection in its products before SNORT (in some cases a long time
before SNORT or any other vendor). But, then I believe this is the point
that Andrew was trying to make.
Of course Andrew's point was that this is the norm, not the exception. If snort has ever detected a vulnerability before ISS, then his point is rather moot, wouldn't you say? 

--
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: