Snort mailing list archives
Re: flow_depth and WMF exploit
From: Jason <security () brvenik com>
Date: Thu, 05 Jan 2006 12:11:45 -0500
Frank Knobbe wrote:
On Thu, 2006-01-05 at 11:33 -0500, Matthew Watchinski wrote:3. Http_inspect was designed on purpose to ignore most if not all server response traffic. If you set flow_depth to 0 and stream4_reassemble to both all, you will take a 80% to 90% performance hit. This is probably ok if you have sub 10 meg links. If you don't this is not ok, especially if you are in an inline configuration.Right. It has to be a balance between performance and inspection-ability. Either you look at a lot of packets, but not very closely, or you analyze deeper, but not as many. Unfortunately that means that when networks get faster and faster, IDSes are analyzing less and less data. I don't want to bring up the whole IDS-is-dead threat again, but it seems that the days IDSes are less capable inspecting traffic every year. Seems to me that they are moving from a packet analysis tool to a flow analysis tool, usable for profiling (behavioral, RNA, and stuff like that). -Frank
At no point in time was an IDS/IPS _designed_ to handle client side attacks or the myriad of options for encodings, file formats, compression, embedding... that exist on the client side. This function has and will remain a responsibility of software on the host. Traditionally this has been AV and unfortunately they have been failing to respond effectively. Just because a hammer can drive a screw does not mean you should use it that way. If a hammer is the only tool you have available at the time that is fine but don't complain to Home Depot that the screws are not holding as strong as you expect. The assertion that IPS is less capable of performing the task it is designed for is fallacious and only highlights the complete lack of understanding in the market of the technology.
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flow_depth and WMF exploit Jason Haar (Jan 03)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 04)
- Re: flow_depth and WMF exploit purplebag (Jan 04)
- Re: flow_depth and WMF exploit Jason Haar (Jan 04)
- Re: flow_depth and WMF exploit Matthew Watchinski (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Jason Haar (Jan 05)
- Re: flow_depth and WMF exploit purplebag (Jan 04)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 04)
- <Possible follow-ups>
- RE: flow_depth and WMF exploit Ron Jenkins (Jan 03)
- Re: flow_depth and WMF exploit Jason Haar (Jan 03)
- Re: flow_depth and WMF exploit Brian Caswell (Jan 04)
- Re: flow_depth and WMF exploit Tom Le (Jan 03)
- Re: flow_depth and WMF exploit Jason Haar (Jan 03)