Dailydave mailing list archives
RE: Sniffing is not the easy answer, Kate.
From: "Sash" <swissc () blueyonder co uk>
Date: Wed, 12 Oct 2005 04:03:21 +0100
Dear Daily Dave, These days, the products aren't a massive tax on segmentation into which one can tap a 1Q line fed to them and even other ways. Bar that, quad pci (times x) is a song that is sung sometimes. Cant see its that much an issue bar cash:) Im not sure if you are baiting me here Dave :). But yes, there seems to be some issues in the Kate Moss sniffing/prevention sec industry in what we talk about. She had a 3-some. In terms of product tech, the difference between monitoring v's low latency prev product, should be clear however essentially its the same one "sec" tech. What ive seen in a very curtailed research/assessment in that genre (IPS) is, its not that what it all seems on paper. "yes we trap IE sploits", "Yes we detect DCE-RPC frags/UUID context changes", "yes we do great DDoS detection/prevention", "yes we see SUN RPC sploits", "gee's even long HTTP post requests", "rudimentary list continues.....". Some explicitly claim to not do client side stuff - some do, and even those are still evaded (by lame arse html code im afraid). Sometimes they even go so far to say they are web app firewalls to some degree....... oh. Oh and yes, CANVAS has made BIG holes in some (but not all). Metasploit's DCE-RPC/SMB frag worked on one that I trialled. But some do some really nice SYN proxy'ing too... To be honest Dave, is it the shell code polymorph that's the issue (as I cant see how they can ever catch you given that as a trigger?) Coz they cant parse Asm and work out what you are doing. That's right now and for the foreseeable future not? From recent experience its stuff like, calling DCpromo over a network, small or extended RPC frags, et al (I can only think the list goes on as you now) - its abnormal behaviour. In an enterprise environment you cant stop Mr nasty however Mr Badly Written Worm is a high probability of being caught. I feel, IDS helps the "picture" of the network such as openview may to traditional networking and IPS blocks the really silly un-patched sploits propagating. A box that understands the proto and not so much the sigs is supreme however it always seems that the "in crowd" is always ahead of the "commercial crowd" and both are never ahead of the transient nationals from Country X. Cheers Sash -----Original Message----- From: Paul Melson [mailto:pmelson () gmail com] Sent: 11 October 2005 19:56 To: 'byte_jump' Cc: 'dailydave' Subject: RE: [Dailydave] Sniffing is not the easy answer, Kate. -----Original Message----- Subject: Re: [Dailydave] Sniffing is not the easy answer, Kate.
An admission that NIDS products == antivirus products. "We protect you - as long as five percent of your peers have alerted us to the fact that
they got owned > and have provided us with samples!" No question. I didn't mean to be defending NIDS products. Even purveyors of security wares put things like cost (be it $$ or cpu%) over security. That applies both to the degree of security their products provide as well as the security of their actual products*. But at the end of the day, signatures are easy to manage, require relatively little knowledge about the type of attack involved, and don't require a ton of CPU or memory. That's why this model is used in AV as well as NIDS/HIDS products. PaulM *I'm probably still under NDA so no specifics, but I'm aware of major design flaws, like elementary level stuff, in two NIDS vendors' appliances (these are names you know). AFAIK, they still ship with these problems. One vendor's initial response to the bug was to release a signature that detected and dropped the attack against their manager that we sent them.
Current thread:
- Sniffing is not the easy answer, Kate. Dave Aitel (Oct 11)
- Re: Sniffing is not the easy answer, Kate. Ron Gula (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Paul Melson (Oct 11)
- Re: Sniffing is not the easy answer, Kate. byte_jump (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Paul Melson (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Sash (Oct 11)
- Re: Sniffing is not the easy answer, Kate. byte_jump (Oct 11)
- Re: Sniffing is not the easy answer, Kate. Andrew R. Reiter (Oct 11)