Re: Re: TrafficIQ HTTP IE traffic coverage

["Sanjay R" <2sanjayr () gmail com>]

Hi Daniel:
I am not trying to say that a particular IDS does not have signatures
for a IE DoS (only DoS, no command execution), and TrafficIQ includes
many of them, which is wrong. I think its not a big deal to write
signatures for IE related DoS attacks. my point is "Is it necessary
for an IDS/IPS to include a very exhausted list of IE DoS coverage?"
There are many more serious vulnerabilities (a big number) and if we
start paying attention to IE DoS related stuff (again a very big
number), then think of performance. I can give an example of Traffic
IQ attack, which is included in the test-list - HTTP IE Popup Blocker
Bypass. Now is it really necessary for an IDS to detect this type of
stuff?
I would like to mention that I don't have any particular IDS in my
kind to say such things. While doing hands-on with TrafficIQ, it just
came into my mind. And I really want to know whether my perception is
wrong or right.
Thanks
-Sanjay

PhD
Intoto Softwares, Hyderabad, India


> >From: Daniel DeLeo <danielsdeleo () mac com>
> >Subject: Re: TrafficIQ HTTP IE traffic coverage
> >Date: Wed, 11 Oct 2006 10:50:58 -0600
> >To: SanjayR <sanjayr () intoto com>, focus-ids () securityfocus com
> >X-Mailer: Apple Mail (2.752.3)
> >X-Brightmail-Tracker: AAAAAA==
> >X-Brightmail-scanned: yes
> >X-Scanned-By: MIMEDefang 2.41
> >
> >In my view, the test should be as comprehensive as possible.  If you
> >choose not to put some rules into your IDS/IPS for good reasons,
> >that's fine, but I think the test should tell you every possible
> >exploit that can get through your IDS/IPS.  You don't have to
> >configure your IDS a certain way just because a test told you to, the
> >point of the test is to give you information about your IDS that you
> >can use to configure it the way you feel is best.
> >
> >That said, I haven't used TrafficIQ, and I don't work there.  If you
> >feel that TrafficIQ is missing tests for some critical
> >vulnerabilities, and that the developers have neglected these in
> >order to write tests for IE DoS instead (maybe because it's easier to
> >write tests for the IE DoSes than for other vulnerabilities, but I
> >don't know if that's the case) that would be significant.  On the
> >other hand, I don't think it is a big deal if they test more things
> >than you care about, that is better than testing fewer things than
> >you care about.
> >
> >I think it is also important to keep in mind that IDS tests, Nessus
> >scans, and the like are supposed to be interpreted by qualified
> >individuals.  If you are having a problem like your boss freaking out
> >because the test results say that your IDS isn't configured to
> >protect you from a long list of IE DoS vulnerabilities, and he
> >doesn't even know what the test results mean, that's a layer 8
> >problem, not a problem with the test.  YOU obviously know you can
> >safely ignore all the test results that deal with IE DoS
> >vulnerabilities, the same way I know to ignore Nessus when it says
> >Apache 1.3 is vulnerable on my OpenBSD systems.
> >
> >On Oct 10, 2006, at 1:40 AM, SanjayR wrote:
> >
> >>Hi All:
> >>Few days ago, I got a chance to work on TrafficIQ (karalon IDS/IPS
> >>evaluation device). With its latest update, Traffic IQ has traffic
> >>for many attacks. A majority of HTTP traffic is related to IE crash
> >>(or DoS). I have a doubt at this point. TrafficIQ is used to
> >>evaluate IDS/IPS, which in turn is used to detect the sign of
> >>attacks and at the same time, it should not become a bottleneck
> >>(esp. IPS) by taking too much time to process packets. Therefore,
> >>the signatures should be optimized well, which implies that number
> >>of signatures should be kept as minimum as possible without
> >>compromising the internal network security. From this standpoint, I
> >>have an opinion that all the IE (or other clients) crash or DoS
> >>related signatures should have lowest priority, because as such
> >>these attacking activities are not doing any harm to internal
> >>network. (I may go a little further to say, such signatures are not
> >>required!!!). One is going to a site which contains a malicious
> >>file that causes IE to crash. so what..don't go or don't download
> >>that.. anyway that file is bad.
> >>If my assumption is correct and justified, then TrafficIQ, as an
> >>IDS/IPS evaluation tool, should not contain such traffic. Such
> >>traffic, as such, does not evaluate capabilities of an IDS/IPS
> >>effectively. Has TrafficIQ included such traffic just to advertise
> >>its high number of various attacks?
> >>Please let me know if i have gone wrong with my assumtion.
> >>thanks
> >>
> >>
> >>Sanjay
> >>Security Research Engineer
> >>INTOTO Software (India) Private Limited
> >>
> >>---------------------------------------------------------------------- --
> >>Test Your IDS
> >>
> >>Is your IDS deployed correctly?
> >>Find out quickly and easily by testing it with real-world attacks
> >>from CORE IMPACT.
> >>Go to http://www.coresecurity.com/index.php5?
> >>module=Form&action=impact&campaign=intro_sfw to learn more.
> >>---------------------------------------------------------------------- --


--

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------