Re: flow_depth and WMF exploit

[Jason <security () brvenik com>]

Frank Knobbe wrote:
> On Thu, 2006-01-05 at 12:11 -0500, Jason wrote:
>
> > At no point in time was an IDS/IPS _designed_ to handle client side
> > attacks or the myriad of options for encodings, file formats,
> > compression, embedding... that exist on the client side. This function
> > has and will remain a responsibility of software on the host.
> > Traditionally this has been AV and unfortunately they have been failing
> > to respond effectively.
>
>
> Please don't put words into my mouth. I didn't say this at all. Matter
> the fact, I said the same thing you said in a different email.

I didn't intend to put words in your mouth at all. I am stating the it
is unfortunate that AV is failing to respond effectively. I think that
as a result of this people are searching for other things that can help
them out.

> > The assertion that IPS is less capable of performing the task it is
> > designed for is fallacious and only highlights the complete lack of
> > understanding in the market of the technology.
>
>
> Not quite. IPSes that claim to inspect traffic at wire speed (that
> includes server responses), are less capable of performing the
> inspection tasks at higher speeds when the workload is increased by also
> having to decode the data first from various encoding formats. (Proxies
> are better suited for that since they were designed from day one as a
> accept-and-forward type device.)

This is rather obvious isn't it?

Your statement also further highlights that there is a complete lack of
understanding in the market. That any vendor claims to be able to
perform this at wire speed, handling all or even the most common
potential encodings and formats, and actually markets the technology
that way is a disservice.

That you echo these thoughts is good. That you seemingly buy into the
methodology and think it is a tool that is appropriate is not good.

> I'm not talking about your rate-limiters and profile based IPSes.
> Actually, we didn't even venture into the I_P_S arena at all, and
> purposefully so. Please don't lead us there, especially not with
> dismissing comments like above.

The comment is not dismissive at all. IMHO it is factual and
representative of the misconception people have of the appropriate use
of technology.

> -Frank
>
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users