IDS mailing list archives
Re: Re: Re: Re: HTTP traffic
From: maverick.avi () gmail com
Date: 9 Aug 2007 04:07:19 -0000
well what abhicc might have meant is to, have a proper protocol parser/rule, which will decode the data on the wire correctly and specifically to a protocol. And using this decide whether a vulnerability/exploit exists. And not directly checking for Vulnerability in the data on the wire stream. All data has to be seen in context with the protocol its coming for. Same sequence of bytes have diff meanings for different protocols/versions. Regarding Exploit vs Vuln Argument. Well going with the vulnerability is always a better option. Being exploit specific means, that whenever someone smart out there comes up with a sequence of code different enough, the IDS/IPS gets bypassed. And devs have to scram to cover this new one. Having exploit specific signatures also means having more signatures on the box, whereas all these exploits might be using a common vector, and if the signature/rule was vulnerability specific, only 1 signature could have stopped all the exploits. Just depends how much work the DEV/QA team wanna put in :-) And i agree with Hirosh, better to do take time and do it once and do it right, than modify it everytime a new version of the exploit comes out. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Re: HTTP traffic abhuyan (Aug 03)
- <Possible follow-ups>
- Re: Re: Re: HTTP traffic abhicc285 (Aug 07)
- Re: Re: Re: HTTP traffic hirosh (Aug 08)
- Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 08)
- Re: Re: Re: Re: HTTP traffic hirosh (Aug 09)
- Re: Re: Re: Re: HTTP traffic maverick . avi (Aug 09)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 09)
- Re: Re: Re: Re: HTTP traffic kroudo (Aug 09)
- Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 13)
- Re: Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 14)