IDS mailing list archives
Re: Re: TrafficIQ HTTP IE traffic coverage
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 13 Oct 2006 11:22:48 -0500
On Thu, 2006-10-12 at 09:44 +0530, Sanjay R wrote:
I am not trying to say that a particular IDS does not have signatures for a IE DoS (only DoS, no command execution), and TrafficIQ includes many of them, which is wrong. I think its not a big deal to write signatures for IE related DoS attacks.
Well, a DoS can translate to loss of productivity which does have a financial impact, so it shouldn't be dismissed completely. But inclusion of these sigs is probably more important from a marketing perspective. Most if not all IDSes on the market (including open source) have coverage for client-based IE exploits, DoS or otherwise. However, from a risk mitigation or protective security effort perspective, these signatures are probably less relevant, unless the IDS can magically follow all possible evasion paths. (Think SSL, Zip/Compres/Deflate encoding, various semi-supported text encodings, etc) So while these IDSes may not detect well packaged exploits, they still need to be able to write coverage for IE issues on the marketing/performance charts. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- TrafficIQ HTTP IE traffic coverage SanjayR (Oct 11)
- Re: TrafficIQ HTTP IE traffic coverage Daniel DeLeo (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Abhishek Bhuyan (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
- <Possible follow-ups>
- Re: Re: TrafficIQ HTTP IE traffic coverage Sanjay R (Oct 12)
- Re: Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
- Re: Re: TrafficIQ HTTP IE traffic coverage Frank Knobbe (Oct 13)
- Re: TrafficIQ HTTP IE traffic coverage jimmywong78 (Oct 16)