IDS mailing list archives
Re: Signatures taking down network
From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Mon, 16 Jan 2006 10:51:44 -0800 (PST)
There are many parameters involved for bringing up such situation. 1. Firstly, yes Signature QA testing might have skipped or problems found during testing might have been ignored due to severity of threat for which the signatures were created in that release. 2. Testing might have happened on different product from the one which you are using. Coz when signature(s) for a newly discovered critical vulnerability are added and due to pressure of deilvering the signature pack super fast, its not always feasible to test same signature pack against 20different products/versions. 3. Vendor might have used different test environment for testing. For example, vendors might have tested the signature pack by configuring a dummy network on IDS/IPS running 2-3domains. But in live environment you might have few 100s of different domains configured. 4. Vendor might have tested the signatures just for accuracy/syntax/working/attack blocking and might have skipped the performance testing of IPS after including new signatures with older set. There could be many more reasons....And its not the case of "xxx" vendor, these problems can be with any IPS vendor. But ofcourse its a serious problem and vendors should pay high attention to QA rather than increasing the signature count. Coz no one would like to make his/her machine secure by plugging out the network cable. -Dhruv --- David Williams <dwilliamsd () gmail com> wrote:
I'm evaluating a Tipping Point box and after gettting the latest signatures I'm having problems with the box "crashing". My goal is not to bash Tipping Point, but instead to gather information on how often people have seen this type of thing among IPS boxes. Is there a trend with vendors to roll out signatures as fast as possible without proper QA? This brings up a lot of questions about deploying IPS. I want two opposite things from my vendors: 1) I want the latest signatures super fast. 2) I want proper QA so that it doesn't bring down my network. I realize those two things are contradictory, but I thought I'd throw it out there to see if anybody had any thoughts. thanks, d
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Signatures taking down network David Williams (Jan 16)
- Re: Signatures taking down network Ramon Kagan (Jan 16)
- Re: Signatures taking down network Paul Schmehl (Jan 16)
- Re: Signatures taking down network Dhruv Soi (Jan 17)
- RE: Signatures taking down network Mike Barkett (Jan 24)
- <Possible follow-ups>
- RE: Signatures taking down network Craddock, Larry (Jan 16)
- RE: Signatures taking down network Palmer, Paul (ISSAtlanta) (Jan 18)
- Re: Signatures taking down network Sam Evans (Jan 18)
- Message not available
- Re: Signatures taking down network Sam Evans (Jan 21)
- Re: Signatures taking down network Sam Evans (Jan 18)
- RE: Signatures taking down network Palmer, Paul (ISSAtlanta) (Jan 18)
- RE: Signatures taking down network Ghetti, Tim (Jan 19)
- RE: Signatures taking down network Gary Halleen (ghalleen) (Jan 21)