RE: IDS, IPS or just rubbish?

["Golomb, Gary" <GGolomb () enterasys com>]

> They kept telling me about SQL Slammer and how this solution will stop
it.
> What utter crap. Can anyone on this list tell me of a signature-based
IDS
> which picked Slammer up in the 2-odd hours it needed to propogate?
>  

All the major ones did. It was an automated exploit for an older
vulnerability - as all worms are. Our phones were ringing off the hook
from customers who had a sharp increase (understatement) in alerts for
that MS-SQL vulnerability. The most interesting one I can think of along
these lines [off-hand] was Code Red. It was based on a vulnerability
only announced two weeks beforehand. In that case, the only IDSs that
detected it were the ones that have quick turn-around times on releasing
updates for new vulnerabilities. 

It sounds like you're referring to pattern matching as signature-based
analysis. Don't be so quick to dismiss it as irrelevant, for Checkpoint,
us, or otherwise. How do you think most IDSs on the market are able to
identify anything specific without identifying patterns in packets? With
the scenario quoted above, it's more important to be concerned about the
team they have analyzing and researching new threats. Code Red
illustrates that point well. Based on what we saw, many vendors had not
released updates for the IIS vulnerability before the worm started
spreading, so many other IDSs did not detect anything (protocol decoding
or otherwise). Sure better methods exist nowadays for generic alerting
to overflows of this type - which is great for finding new exploits for
those types of vulns. However, based on historical performance it's not
going to buy you anything when the next worm d'jour derived from a new
(or unaccounted for) vulnerability starts spreading again. 

My myopic two cents, as usual-

-gary

ps - Your email was great! It's awesome when people raise the BS flag
AND do it in such a "candid" manner! ;)


----
Gary Golomb
Senior Research Engineer
Intrusion Detection Group
Enterasys Networks


 



















-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------