IDS mailing list archives
Re: IDS evaluations procedures
From: Mike Frantzen <frantzen () nfr com>
Date: Mon, 18 Jul 2005 10:29:06 -0400
An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com (your sites URL) this will stop a significant proportion of HTTP noise before signature matching.
As IPS developers we have to be very careful with IPS optimizations like this. They work well in some sites but break horribly in others. Your example will block most HTTP/1.0 requests that don't require a Host: header. Many upness checkers won't bother with a well formed HTTP request so your site will appear down and someone may get paged and get very cranky figuring out why everything works but the website-is-up checker. Likewise it will run into a cold-start problem when a connection is already live and sent the packet containing the Host: header just before the IPS began monitoring. .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Firewalls (was Re: IDS evaluations procedures), (continued)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: IDS evaluations procedures Jason (Jul 18)
- RE: IDS evaluations procedures Frank Knobbe (Jul 22)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 21)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 22)