Re: tippingpoint]

[John Sage <jsage () finchhaven com>]

On Fri, Oct 17, 2003 at 10:12:20AM -0700, Geoff wrote:
> John seems little bitter :)

/* snip */

Hardly. The thread as originally opened:

From: Kerry Cox <kerry.cox () ksl com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] tippingpoint
Date: 14 Oct 2003 10:49:27 -0600

"The Dell sales guy has been talking to management trying to sell them
on this intrusion prevention solution from TippingPoint Technologies.
Management, of course, is curious and wonders why we even use Snort
when we could spend money on a solution rather than have it free. :-P"

/* snip */

So we start out with a marketing guy from Dell trying to sell
something.


This post was quickly responded to in a manner that suggests we really
have a new buzz-word -- IPS (Intrusion Prevention System) -- that will
imminently replace IDS's (Intrusion Detection System):

From: Sean Perry <sean.perry () intransa com>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] tippingpoint
Date: Tue, 14 Oct 2003 10:38:37 -0700

"IPS vendors and the trade mags have been talking about how useless
IDS are lately.  You might want to sniff around on google and the
like.  At least one mag (lost the name) had an article a month or
three back stating that IDS would be dead and gone in 2 years."

/* snip */

Here we have IPS vendors (with their own obvious self-interest) and
the "trade mags" (who live by constantly hawking The Next Great
Thing(tm)) pushing one acronym over another in next-to-absolute
terms.

"..talking about how useless IDS are.."

Yeah. Right. That's why there's so many in use in production
environments right now.


*My* point was addressed to the details of this Brave New Tool(tm) --
the IDS -- as it was presented here:

From: Geoff <gpoer () arizona edu>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] tippingpoint]
Date: Thu, 16 Oct 2003 19:48:41 -0700

"Their are plenty of companies running IPS and running it
successfully. Implementation of an IPS requires that you only
implement signatures that have a VERY low rate of false positive or
traffic that you just flat out don't care if it gets dropped. For
example: In our testing we dropped ICMP stacheldraht Agent to Server
Hello packets. It is a very easy sig to spot. the word "skillz" inside
an ICMP echo reply packet. Rarely are we going to see that one in the
wild with Business critical traffic. We also dropped ICMP Welchia
packets, they consist of an echo request with 64 A's."

/* snip */


So we have presented to us these IPS strong points:

1) implement signatures with a low false positive rate

2) detect ancient, well-known signatures


And I ask: this makes an IPS better or different than an IDS (aka:
snort) how?

By doing something different *after* the packet is identified as
malicious?

uh... OK.


My real point, perhaps not quickly stated, is that any tool needs to
be used with great thought, study, and understanding, and not just
because some marketdroid is trying to sell it, nor because it's
getting a lot of write-ups in the press.

Remember: defense in depth, not defense by marketing.



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.


-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users