Re: Re: Re: Re: HTTP traffic

["Abhishek Bhuyan" <abhuyan () gmail com>]

Just some pointers based on the question which *was* asked on which
abhicc did agree that there are false positive scenarios.
What I presume from most is that there are no cases of false positive
at all. My personal experience after working in host-based IPS company
is that I have come across many false positive scenario. May be I'm a
step behind from all you, or the functionality is kind of limited.
HTTP is simple text based protocol for which we have pre defined RFC
also. I think that would give the best understanding of the protocol
itself.

Coming to the client side, for which I think focus changes to
Host-based IDS/IPS.
Hirosh - Very true. A proper product *should* do --
Personally I'm yet to see, or am not aware of any product, who does
have kind of javascript parsers or decode all file format structures
which will help to write vulnerability specific rules to tackle some
vulnerabilities. For evasions, though bit off-topic, it would be
interesting to see how many stop gzip+chunked evasions :)

abhicc - Yes, the only reason being, tackling client-side is kind of
pain. Also the kind of functionality which we get, also not forgetting
the performance it might have. I'm not claiming anything or want to
win the rat-race. What kind of result you want to know? I cannot share
with you the benchmark or test setup details, but could certainly give
you many examples. Again, that would be disclosing something which
should not be :)
Being creative I meant, not just looking for patterns from the
exploit, something which will make more sense rather than just looking
for say "AAA" for specific overflow kinda. It's debatable and will
depend on the exploit/vulnerability.

-Abhishek

On 9 Aug 2007 09:44:54 -0000, kroudo () gmail com <kroudo () gmail com> wrote:
> well Abhishek, abhicc makes perfect sense describing the way to create regions for scanning the traffic...  these 
> regions help remove the unwanted traffic from being scanned and hence removes fps.
>
>
> Wht is so difficult in it to understand?
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------