IDS mailing list archives
Re: Re: Re: Re: HTTP traffic
From: "Abhishek Bhuyan" <abhuyan () gmail com>
Date: Fri, 10 Aug 2007 01:56:03 +0530
Just some pointers based on the question which *was* asked on which abhicc did agree that there are false positive scenarios. What I presume from most is that there are no cases of false positive at all. My personal experience after working in host-based IPS company is that I have come across many false positive scenario. May be I'm a step behind from all you, or the functionality is kind of limited. HTTP is simple text based protocol for which we have pre defined RFC also. I think that would give the best understanding of the protocol itself. Coming to the client side, for which I think focus changes to Host-based IDS/IPS. Hirosh - Very true. A proper product *should* do -- Personally I'm yet to see, or am not aware of any product, who does have kind of javascript parsers or decode all file format structures which will help to write vulnerability specific rules to tackle some vulnerabilities. For evasions, though bit off-topic, it would be interesting to see how many stop gzip+chunked evasions :) abhicc - Yes, the only reason being, tackling client-side is kind of pain. Also the kind of functionality which we get, also not forgetting the performance it might have. I'm not claiming anything or want to win the rat-race. What kind of result you want to know? I cannot share with you the benchmark or test setup details, but could certainly give you many examples. Again, that would be disclosing something which should not be :) Being creative I meant, not just looking for patterns from the exploit, something which will make more sense rather than just looking for say "AAA" for specific overflow kinda. It's debatable and will depend on the exploit/vulnerability. -Abhishek On 9 Aug 2007 09:44:54 -0000, kroudo () gmail com <kroudo () gmail com> wrote:
well Abhishek, abhicc makes perfect sense describing the way to create regions for scanning the traffic... these regions help remove the unwanted traffic from being scanned and hence removes fps. Wht is so difficult in it to understand? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Re: HTTP traffic abhuyan (Aug 03)
- <Possible follow-ups>
- Re: Re: Re: HTTP traffic abhicc285 (Aug 07)
- Re: Re: Re: HTTP traffic hirosh (Aug 08)
- Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 08)
- Re: Re: Re: Re: HTTP traffic hirosh (Aug 09)
- Re: Re: Re: Re: HTTP traffic maverick . avi (Aug 09)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 09)
- Re: Re: Re: Re: HTTP traffic kroudo (Aug 09)
- Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 10)
- Re: Re: Re: Re: Re: HTTP traffic abhicc285 (Aug 13)
- Re: Re: Re: Re: Re: HTTP traffic Abhishek Bhuyan (Aug 14)