RE: Sniffing is not the easy answer, Kate.

["Sash" <swissc () blueyonder co uk>]

Dear Daily Dave,

These days, the products aren't a massive tax on segmentation into which one
can tap a 1Q line fed to them and even other ways.  Bar that, quad pci
(times x) is a song that is sung sometimes.  Cant see its that much an issue
bar cash:)

Im not sure if you are baiting me here Dave :).  But yes, there seems to be
some issues in the Kate Moss sniffing/prevention sec industry in what we
talk about.  She had a 3-some. In terms of product tech, the difference
between monitoring v's low latency prev product, should be clear however
essentially its the same one "sec" tech.

What ive seen in a very curtailed research/assessment in that genre (IPS)
is, its not that what it all seems on paper.  "yes we trap IE sploits", "Yes
we detect DCE-RPC frags/UUID context changes", "yes we do great DDoS
detection/prevention", "yes we see SUN RPC sploits", "gee's even long HTTP
post requests", "rudimentary list continues.....".  Some explicitly claim to
not do client side stuff - some do, and even those are still evaded (by lame
arse html code im afraid).  Sometimes they even go so far to say they are
web app firewalls to some degree....... oh.

Oh and yes, CANVAS has made BIG holes in some (but not all).  Metasploit's
DCE-RPC/SMB frag worked on one that I trialled.

But some do some really nice SYN proxy'ing too...

To be honest Dave, is it the shell code polymorph that's the issue (as I
cant see how they can ever catch you given that as a trigger?)  Coz they
cant parse Asm and work out what you are doing.  That's right now and for
the foreseeable future not? From recent experience its stuff like, calling
DCpromo over a network, small or extended RPC frags, et al (I can only think
the list goes on as you now) - its abnormal behaviour.  In an enterprise
environment you cant stop Mr nasty however Mr Badly Written Worm is a high
probability of being caught.  I feel, IDS helps the "picture" of the network
such as openview may to traditional networking and IPS blocks the really
silly un-patched sploits propagating.  

A box that understands the proto and not so much the sigs is supreme however
it always seems that the "in crowd" is always ahead of the "commercial
crowd" and both are never ahead of the transient nationals from Country X. 

Cheers
Sash




-----Original Message-----
From: Paul Melson [mailto:pmelson () gmail com] 
Sent: 11 October 2005 19:56
To: 'byte_jump'
Cc: 'dailydave'
Subject: RE: [Dailydave] Sniffing is not the easy answer, Kate.

-----Original Message-----
Subject: Re: [Dailydave] Sniffing is not the easy answer, Kate.

> An admission that NIDS products == antivirus products. "We protect you
> - as long as five percent of your peers have alerted us to the fact that
they got owned > and have provided us with samples!"

No question.  I didn't mean to be defending NIDS products.  Even purveyors
of security wares put things like cost (be it $$ or cpu%) over security.
That applies both to the degree of security their products provide as well
as the security of their actual products*.  But at the end of the day,
signatures are easy to manage, require relatively little knowledge about the
type of attack involved, and don't require a ton of CPU or memory.  That's
why this model is used in AV as well as NIDS/HIDS products.

PaulM 

*I'm probably still under NDA so no specifics, but I'm aware of major design
flaws, like elementary level stuff, in two NIDS vendors' appliances (these
are names you know).  AFAIK, they still ship with these problems.  One
vendor's initial response to the bug was to release a signature that
detected and dropped the attack against their manager that we sent them.