Re: Re: TrafficIQ HTTP IE traffic coverage

[Frank Knobbe <frank () knobbe us>]

On Thu, 2006-10-12 at 09:44 +0530, Sanjay R wrote:
> I am not trying to say that a particular IDS does not have signatures
> for a IE DoS (only DoS, no command execution), and TrafficIQ includes
> many of them, which is wrong. I think its not a big deal to write
> signatures for IE related DoS attacks. 

Well, a DoS can translate to loss of productivity which does have a
financial impact, so it shouldn't be dismissed completely.

But inclusion of these sigs is probably more important from a marketing
perspective. Most if not all IDSes on the market (including open source)
have coverage for client-based IE exploits, DoS or otherwise.

However, from a risk mitigation or protective security effort
perspective, these signatures are probably less relevant, unless the IDS
can magically follow all possible evasion paths. (Think SSL,
Zip/Compres/Deflate encoding, various semi-supported text encodings,
etc)

So while these IDSes may not detect well packaged exploits, they still
need to be able to write coverage for IE issues on the
marketing/performance charts.

Regards,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part