IDS mailing list archives
RE: IDS detection approaches
From: "Nelson Brito" <nbrito () sekure org>
Date: Fri, 12 Oct 2007 18:10:21 -0300
You are not talking about missing a vulnerable condition, you are talking about not handing a _non_ vulnerable condition. There is a very real difference that has practical solutions and side effects. Who cares if you can generate events for something on a stateless protocol that is "correct" but an unsuccessful attempt? It's a trivial post processing effort, a more real threat would be millions of real payloads requiring wetware analysis not perl. That is why endpoint analysis becomes important, not a trivially excluded meaningless payload.
I'm talking about both. When you don't have a real approach to detect a real exploitation of any vulnerability you are opening a door for outsiders. It does not matter if you are opened for false positive or false negative. I believe that having a huge amount of false positive in middle of the night, taking you from your bed, it is as bad as you keep sleeping while someone bypasses your protection. Remember the little boy screaming "Wolf, wolf, wolf..."
Hobbyist signatures are for the hobbyist and hammers are for nails, you can still get a screw into wood with a hammer though.
I do agree if your statement, but what I see is that too many professionals still are hobbyist and amateur when writing signatures or adopting old and weak approaches for detection and protection.
It is not that you are not being clear, I think that you are missing your point.
My point still is, from the beginning to now, the weakness of adopting pattern matching as your primary and most important detection technology. Period!!!
Target the IPS all you want but do it with real payloads, BS known unsuccessful payloads are trivially post processed and thus entirely ineffective. You should use real payloads or achieve evasion so you at least force wetware analysis and/or endpoint intelligence.
Now, you are missing the point, because real payloads help you to attack the target and fake payloads just boring you and mess with your relax. I'm done and doing a filter to send all the rest to /dev/null. Thanks the moderator and the rest of you for you patience with my posts in this thread. Best regards. Nelson Brito Senior IPS Engineer & Pen-tester ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Oracle XDB FTP, (continued)
- Oracle XDB FTP Kanagasingham, Prathaben (Oct 26)
- RE: IDS detection approaches Nelson Brito (Oct 09)
- Re: IDS detection approaches Sec urity (Oct 09)
- RE: IDS detection approaches Nelson Brito (Oct 10)
- Re: IDS detection approaches Sec urity (Oct 10)
- Message not available
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Jason (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 15)
- Re: IDS detection approaches Jason (Oct 15)
- Re: IDS detection approaches Sec urity (Oct 09)
- Re: IDS detection approaches Gary Halleen (Oct 15)
- RE: IDS detection approaches Marcio (Oct 18)