Re: IDS detection approaches

[Jason <security () brvenik com>]

Nelson Brito wrote:
> > It is trivial to filter out post fact and is not normally occurring, I
> > consider the alert successful at detecting nefarious activity. Simple,
> > practical, effective.
>
> I do sorry you have this idea, because it is dangerous and you sub
> estimating your "enemy". 
>
> I sent just one example and the point is not the example itself, the point
> is the way the pattern matching IDS/IPS approaches the signature design. The
> pattern matching, in their concept, limits you to check a pattern. That is
> the point, because if you miss any vulnerable condition when detect /
> protect then you will miss the accuracy of the detection. This is well known
> by years.

You are not talking about missing a vulnerable condition, you are
talking about not handing a _non_ vulnerable condition. There is a very
real difference that has practical solutions and side effects. Who cares
if you can generate events for something on a stateless protocol that is
"correct" but an unsuccessful attempt? It's a trivial post processing
effort, a more real threat would be millions of real payloads requiring
wetware analysis not perl. That is why endpoint analysis becomes
important, not a trivially excluded meaningless payload.

Hobbyist signatures are for the hobbyist and hammers are for nails, you
can still get a screw into wood with a hammer though.


>  
> > We are talking right past each other here. So what if it is a null
> > payload, if your goal is resource exhaustion then use a real payload.
> > You have achieved absolutely nothing using the null payload, except
> > perhaps to make it easily filtered out of your result set.
>
> No, I disagree, we are not talking right past each other here, we are
> talking about different things here and I suppose I'm not be clear enough or
> I really need to get back my English classes. :D

It is not that you are not being clear, I think that you are missing
your point.

> The resource exhaustion does not target the SQL, it targets the IPS. If you
> launch this attack against the SQL, it will send you back a valid answer for
> your request just if you are really using a SQL in the test environment,
> because this kind of attack does not depend on SQL and you can run packets
> targeting any IP address protected by the IPS and it still reports the false
> positive.

Target the IPS all you want but do it with real payloads, BS known
unsuccessful payloads are trivially post processed and thus entirely
ineffective. You should use real payloads or achieve evasion so you at
least force wetware analysis and/or endpoint intelligence.

> That said I presume you now understand my point, otherwise I do refuse to
> keep this thread alive.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------