IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS evaluations procedures

From: Mike Frantzen <frantzen () nfr com>
Date: Mon, 18 Jul 2005 10:29:06 -0400


An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com (your sites URL) 
this will stop a significant proportion of HTTP noise before signature matching.


As IPS developers we have to be very careful with IPS optimizations like
this. They work well in some sites but break horribly in others.

Your example will block most HTTP/1.0 requests that don't require a
Host: header. Many upness checkers won't bother with a well formed HTTP
request so your site will appear down and someone may get paged and get
very cranky figuring out why everything works but the website-is-up
checker. Likewise it will run into a cold-start problem when a
connection is already live and sent the packet containing the Host:
header just before the IPS began monitoring.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: