IDS mailing list archives
Re: Re: TrafficIQ HTTP IE traffic coverage
From: "Sanjay R" <2sanjayr () gmail com>
Date: Thu, 12 Oct 2006 09:44:23 +0530
Hi Daniel: I am not trying to say that a particular IDS does not have signatures for a IE DoS (only DoS, no command execution), and TrafficIQ includes many of them, which is wrong. I think its not a big deal to write signatures for IE related DoS attacks. my point is "Is it necessary for an IDS/IPS to include a very exhausted list of IE DoS coverage?" There are many more serious vulnerabilities (a big number) and if we start paying attention to IE DoS related stuff (again a very big number), then think of performance. I can give an example of Traffic IQ attack, which is included in the test-list - HTTP IE Popup Blocker Bypass. Now is it really necessary for an IDS to detect this type of stuff? I would like to mention that I don't have any particular IDS in my kind to say such things. While doing hands-on with TrafficIQ, it just came into my mind. And I really want to know whether my perception is wrong or right. Thanks -Sanjay PhD Intoto Softwares, Hyderabad, India
>From: Daniel DeLeo <danielsdeleo () mac com> >Subject: Re: TrafficIQ HTTP IE traffic coverage >Date: Wed, 11 Oct 2006 10:50:58 -0600 >To: SanjayR <sanjayr () intoto com>, focus-ids () securityfocus com >X-Mailer: Apple Mail (2.752.3) >X-Brightmail-Tracker: AAAAAA== >X-Brightmail-scanned: yes >X-Scanned-By: MIMEDefang 2.41 > >In my view, the test should be as comprehensive as possible. If you >choose not to put some rules into your IDS/IPS for good reasons, >that's fine, but I think the test should tell you every possible >exploit that can get through your IDS/IPS. You don't have to >configure your IDS a certain way just because a test told you to, the >point of the test is to give you information about your IDS that you >can use to configure it the way you feel is best. > >That said, I haven't used TrafficIQ, and I don't work there. If you >feel that TrafficIQ is missing tests for some critical >vulnerabilities, and that the developers have neglected these in >order to write tests for IE DoS instead (maybe because it's easier to >write tests for the IE DoSes than for other vulnerabilities, but I >don't know if that's the case) that would be significant. On the >other hand, I don't think it is a big deal if they test more things >than you care about, that is better than testing fewer things than >you care about. > >I think it is also important to keep in mind that IDS tests, Nessus >scans, and the like are supposed to be interpreted by qualified >individuals. If you are having a problem like your boss freaking out >because the test results say that your IDS isn't configured to >protect you from a long list of IE DoS vulnerabilities, and he >doesn't even know what the test results mean, that's a layer 8 >problem, not a problem with the test. YOU obviously know you can >safely ignore all the test results that deal with IE DoS >vulnerabilities, the same way I know to ignore Nessus when it says >Apache 1.3 is vulnerable on my OpenBSD systems. > >On Oct 10, 2006, at 1:40 AM, SanjayR wrote: > >>Hi All: >>Few days ago, I got a chance to work on TrafficIQ (karalon IDS/IPS >>evaluation device). With its latest update, Traffic IQ has traffic >>for many attacks. A majority of HTTP traffic is related to IE crash >>(or DoS). I have a doubt at this point. TrafficIQ is used to >>evaluate IDS/IPS, which in turn is used to detect the sign of >>attacks and at the same time, it should not become a bottleneck >>(esp. IPS) by taking too much time to process packets. Therefore, >>the signatures should be optimized well, which implies that number >>of signatures should be kept as minimum as possible without >>compromising the internal network security. From this standpoint, I >>have an opinion that all the IE (or other clients) crash or DoS >>related signatures should have lowest priority, because as such >>these attacking activities are not doing any harm to internal >>network. (I may go a little further to say, such signatures are not >>required!!!). One is going to a site which contains a malicious >>file that causes IE to crash. so what..don't go or don't download >>that.. anyway that file is bad. >>If my assumption is correct and justified, then TrafficIQ, as an >>IDS/IPS evaluation tool, should not contain such traffic. Such >>traffic, as such, does not evaluate capabilities of an IDS/IPS >>effectively. Has TrafficIQ included such traffic just to advertise >>its high number of various attacks? >>Please let me know if i have gone wrong with my assumtion. >>thanks >> >> >>Sanjay >>Security Research Engineer >>INTOTO Software (India) Private Limited >> >>---------------------------------------------------------------------- -- >>Test Your IDS >> >>Is your IDS deployed correctly? >>Find out quickly and easily by testing it with real-world attacks >>from CORE IMPACT. >>Go to http://www.coresecurity.com/index.php5? >>module=Form&action=impact&campaign=intro_sfw to learn more. >>---------------------------------------------------------------------- --
-- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- TrafficIQ HTTP IE traffic coverage SanjayR (Oct 11)
- Re: TrafficIQ HTTP IE traffic coverage Daniel DeLeo (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Abhishek Bhuyan (Oct 12)
- Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
- <Possible follow-ups>
- Re: Re: TrafficIQ HTTP IE traffic coverage Sanjay R (Oct 12)
- Re: Re: TrafficIQ HTTP IE traffic coverage Devdas Bhagat (Oct 13)
- Re: Re: TrafficIQ HTTP IE traffic coverage Frank Knobbe (Oct 13)
- Re: TrafficIQ HTTP IE traffic coverage jimmywong78 (Oct 16)