Penetration Testing mailing list archives
Re: [PEN-TEST] Recourse Technolo
From: LEE FISHER <LEE.FISHER () BCBSSC COM>
Date: Wed, 4 Oct 2000 08:20:00 -0400
Not every network is the same and the tools used must be tailored for that network and the threat, which may or may not create the need for installing a honeypot. Everyone seems to be concentrating on using the honeypot on the external side, but it can be useful flypaper for the internal side of networks. Insider issues must be addressed in any layered defense plan and there are some valuable plus to deploying an internal honeypot. LF ------------------( Forwarded letter 1 follows )--------------------- Date: Tue, 3 Oct 2000 14:14:37 -0700 To: PEN-TEST () SECURITYFOCUS COM inet From: mark.teicher () NETWORKICE COM inet Sender: owner-pen-test () SECURITYFOCUS COM inet Reply-To: Penetration.Testers[PEN-TEST]@SECURITYFOCUS.COM.inet Subject: Re: [PEN-TEST] Recourse Technologies -- info wanted OK Here we go again. The definition of what an attack signature is has been very skewed these days. Each IDS vendor has their own definition of what an attack signature is, this also goes for people who used to be involved in Security scanner type development. How one vendor defines a signature is completely different from the next. Sales/Marketing people use the signature game to land a sale when in fact an IDS with less "signatures" per se may be a better product than the others. Throwing in Bad URL's or porn sites is good way of fatterning up one's signature base. Pattern Matching or Full Protocol Analysis is the differentiator, once you are at the packet level, only a few IDS vendors can actually analyze lots of traffic (Big Pipes) instead of small to medium pipes. The essence of it is probably in the heuristics of the protocol analysis of the would be attack. Once you have licked this issue as some IDS vendors have, optimizing it is the next real issue. The issue with ManTrap/ManHunt is that it really isn't designed to handle lots of connections at once, and one small TCP ESTAB that is doing something malicious If someone comes up a way to do this, please feel free to post. I was just commenting on the fact that a HoneyPot should need not to be fast, but able to capture a hacker's input and be able to assemble a reasonable recording of what the hack attempts where and provide some sort of feedback on how certain systems should be tuned to avoid being hacked in real time.. On Tue, 3 Oct 2000, Oliver Friedrichs wrote:
I've come to believe that this is more of a marketing tactic than an actual fact. I can believe that this would be true for an IDS with only a few signatures enabled, or one doing offline processing, but an IDS that is doing pattern matches on over 700 signatures in realtime, this is practically infeasible. Feel free to prove me wrong, but I've heard from several people, even friends working for competing companies, that claim their IDS does this, and I don't believe it. My reasoning is that for me to believe this there has to be proven facts, rather than marketing hype. And I would also want to understand their algorithm for doing this, which I don't believe any of them have made public. This is very similar to the scanner market, where each vendor may have their own method for detecting a particular vulnerability, the the customer places implicit trust in the vendor, with very few having any idea what happens under the hood. I doubt this will change anytime soon though, after-all who would want to release such a detailed specification of their product, in fear of losing their perceived advantage. - Oliver-----Original Message----- From: Mark Teicher [mailto:mark.teicher () NETWORKICE COM] Sent: Tuesday, October 03, 2000 8:43 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Recourse Technologies -- info wanted I would like to see them prove the following statement: "With 100 percent data capture at volumes exceeding 1 Gbps".. Since only a few IDS vendors are capable of capturing data at volumes of 1 Gbps /mark At 11:08 PM 10/2/00 -0400, subscribe wrote:ManTrap and ManHunt: coded in C++ and Java...the usual JAVA for the GUI viewing.... what else? >> oh, has 'typical' signatures coded in software, BUTalso has 'anomaly'based signatures as well...not pure 'anomaly', but it hasbeen coded in away that it attempts to take a known signature, tweak it a bit (for example, slow the packets down, etc.), and treat that as athreat as well.In layman's terms, it knows what all IDS know, and a step beyond it attempts to pre-empt new attacks which are based on old onesvia theseanomaly signatures. c.t.Hello: Has anybody dealt with or know about Recourse Technologies (www.recoursetechnologies.com) and its products? Anyinfo is appreciated.Thanks, -andrew
Current thread:
- Re: [PEN-TEST] Recourse Technolo LEE FISHER (Oct 04)