IDS mailing list archives

Re: Signatures taking down network

From: Dhruv Soi <dhruv_ymca () yahoo com>
Date: Mon, 16 Jan 2006 10:51:44 -0800 (PST)

There are many parameters involved for bringing up
such situation. 
   
  1. Firstly, yes Signature QA testing might have
skipped or problems found during testing might have
been ignored due to severity of threat for which the
signatures were created in that release. 
   
  2. Testing might have happened on different product
from the one which you are using. Coz when
signature(s) for a newly discovered critical
vulnerability are added and due to pressure of
deilvering the signature pack super fast, its not
always feasible to test same signature pack against
20different products/versions. 
   
  3. Vendor might have used different test environment
for testing. For example, vendors might have tested
the signature pack by configuring a dummy network on
IDS/IPS running 2-3domains. But in live environment
you might have few 100s of different domains
configured. 
   
  4. Vendor might have tested the signatures just for 
accuracy/syntax/working/attack blocking and might have
skipped the performance testing of IPS after including
new signatures with older set.
   
  There could be many more reasons....And its not the
case of "xxx" vendor, these problems can be with any
IPS vendor. But ofcourse its a serious problem and
vendors should pay high attention to QA rather than
increasing the signature count. Coz no one would like
to make his/her machine secure by plugging out the
network cable.
  
-Dhruv


--- David Williams <dwilliamsd () gmail com> wrote:

I'm evaluating a Tipping Point box and after
gettting the latest
signatures I'm having problems with the box
"crashing".  My goal is
not to bash Tipping Point, but instead to gather
information on how
often people have seen this type of thing among IPS
boxes.

Is there a trend with vendors to roll out signatures
as fast as
possible without proper QA?  This brings up a lot of
questions about
deploying IPS.  I want two opposite things from my
vendors:  1) I want
the latest signatures super fast.  2)  I want proper
QA so that it
doesn't bring down my network.  I realize those two
things are
contradictory, but I thought I'd throw it out there
to see if anybody
had any thoughts.

thanks,

d

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

------------------------------------------------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Signatures taking down network David Williams (Jan 16)
- Re: Signatures taking down network Ramon Kagan (Jan 16)
- Re: Signatures taking down network Paul Schmehl (Jan 16)
- Re: Signatures taking down network Dhruv Soi (Jan 17)
- RE: Signatures taking down network Mike Barkett (Jan 24)
- <Possible follow-ups>
- RE: Signatures taking down network Craddock, Larry (Jan 16)
- RE: Signatures taking down network Palmer, Paul (ISSAtlanta) (Jan 18)
  - Re: Signatures taking down network Sam Evans (Jan 18)
    - Message not available
    - Re: Signatures taking down network Sam Evans (Jan 21)
- RE: Signatures taking down network Palmer, Paul (ISSAtlanta) (Jan 18)
- RE: Signatures taking down network Ghetti, Tim (Jan 19)
- RE: Signatures taking down network Gary Halleen (ghalleen) (Jan 21)