IDS mailing list archives
RE: IDS, IPS or just rubbish?
From: "Golomb, Gary" <GGolomb () enterasys com>
Date: Wed, 25 Jun 2003 07:50:43 -0400
They kept telling me about SQL Slammer and how this solution will stop
it.
What utter crap. Can anyone on this list tell me of a signature-based
IDS
which picked Slammer up in the 2-odd hours it needed to propogate?
All the major ones did. It was an automated exploit for an older vulnerability - as all worms are. Our phones were ringing off the hook from customers who had a sharp increase (understatement) in alerts for that MS-SQL vulnerability. The most interesting one I can think of along these lines [off-hand] was Code Red. It was based on a vulnerability only announced two weeks beforehand. In that case, the only IDSs that detected it were the ones that have quick turn-around times on releasing updates for new vulnerabilities. It sounds like you're referring to pattern matching as signature-based analysis. Don't be so quick to dismiss it as irrelevant, for Checkpoint, us, or otherwise. How do you think most IDSs on the market are able to identify anything specific without identifying patterns in packets? With the scenario quoted above, it's more important to be concerned about the team they have analyzing and researching new threats. Code Red illustrates that point well. Based on what we saw, many vendors had not released updates for the IIS vulnerability before the worm started spreading, so many other IDSs did not detect anything (protocol decoding or otherwise). Sure better methods exist nowadays for generic alerting to overflows of this type - which is great for finding new exploits for those types of vulns. However, based on historical performance it's not going to buy you anything when the next worm d'jour derived from a new (or unaccounted for) vulnerability starts spreading again. My myopic two cents, as usual- -gary ps - Your email was great! It's awesome when people raise the BS flag AND do it in such a "candid" manner! ;) ---- Gary Golomb Senior Research Engineer Intrusion Detection Group Enterasys Networks ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- IDS, IPS or just rubbish? Jack Ryan (Jun 24)
- RE: IDS, IPS or just rubbish? David J. Meltzer (Jun 25)
- RE: IDS, IPS or just rubbish? Rob Shein (Jun 25)
- RE: IDS, IPS or just rubbish? Curt Purdy (Jun 25)
- Re: IDS, IPS or just rubbish? Ravi (Jun 26)
- <Possible follow-ups>
- RE: IDS, IPS or just rubbish? Golomb, Gary (Jun 25)