IDS mailing list archives
Re: signature based IDS/IPS effectiveness
From: Stefano Zanero <s.zanero () securenetwork it>
Date: Wed, 09 Jan 2008 21:52:09 +0100
GMail wrote:
protocols which involves grammar like PL/SQL. Using PL/SQL I can write same query with different ways and different constructs that leads to different query patterns.
You can do that with almost any type of attack. Attacks are polymorph, and unless the signature can target a specific feature of the attack which is unescapable and has no legal uses, misuse-based systems are bound to fail or to need very complex normalizations to take place.
That's a well known problem with misuse detection, it's been known for 15 years at least :)
Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Preventing layer 3/4 evasions Martin Roesch (Jan 07)
- Re: Preventing layer 3/4 evasions Jeremy Bennett (Jan 09)
- <Possible follow-ups>
- RE: Preventing layer 3/4 evasions Mike Barkett (Jan 07)
- signature based IDS/IPS effectiveness GMail (Jan 09)
- Re: signature based IDS/IPS effectiveness Stefano Zanero (Jan 09)
- Looking for feedback on anomaly-based IDS systems Libershal, David M. (Jan 09)
- Re: Looking for feedback on anomaly-based IDS systems p1g (Jan 10)
- Re: signature based IDS/IPS effectiveness Jamie Riden (Jan 10)
- Re: signature based IDS/IPS effectiveness GMail (Jan 10)
- RE: signature based IDS/IPS effectiveness Nelson Brito (Jan 10)
- Re: signature based IDS/IPS effectiveness Paul Schmehl (Jan 10)
- signature based IDS/IPS effectiveness GMail (Jan 09)
- Message not available
- Re: signature based IDS/IPS effectiveness Jamie Riden (Jan 10)