IDS mailing list archives
Re: IDS alerts / second - Correlation - Virtualization
From: william taft <willtaft () gmail com>
Date: Thu, 28 Jul 2005 21:10:04 -0400
On 7/26/05, Swift, David <dswift () ipolicynetworks com> wrote:
And how would you propose to block something you can't detect? IPS actions are always on patterns of data, either packet level, or based on anomalous behavior (statistical, historical, protocol...). To argue otherwise is incomprehensible.
why -not- block something you can't understand? why are we giving up on using tools other than firwewalls/IPS (i prefer 'layer 7 firewall' to 'ips')? handshaking does exist beyond TCP...applications, authentication protocols, etc. all have 'handshakes'. if you authorize enough basic application traffic (i'll bet most of us use only a handful of applications anyway), i think you'll probably close many gaps. IPS/layer7 firewall isn't the answer, but something must be out there for this purpose. On 7/26/05, Swift, David <dswift () ipolicynetworks com> continues:
RDP is an allowed protocol to Windows. A Null Session is perfectly legitimate to Windows operating system. CAT /ETC/PASSWD is a perfectly valid Unix command.
you've lost me here...are you saying that just to jam a square technology into a round role? you'd allow any access to /etc/passwd from the outside into your DMZ? from a non-administrative workstation to a server? i wouldn't. why not block traffic you're not supposed to see? yes, block requests to /etc/passwd (and other naughty actions) across all ports from the outside world into your dmz. why wouldn't you? /will ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 25)
- RE: IDS alerts / second - Correlation - Virtualization Frank Knobbe (Jul 25)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 26)
- Re: IDS alerts / second - Correlation - Virtualization Ron Gula (Jul 27)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 26)
- <Possible follow-ups>
- RE: IDS alerts / second - Correlation - Virtualization Palmer, Paul (ISSAtlanta) (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Nathan Davidson (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 27)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 29)
- Message not available
- RE: IDS alerts / second - Correlation - Virtualization Sanjay Rawat (Jul 29)
- RE: IDS alerts / second - Correlation - Virtualization Frank Knobbe (Jul 25)
- RE: IDS alerts / second - Correlation - Virtualization Biswas, Proneet (Jul 27)