Re: signature based IDS/IPS effectiveness

["Jamie Riden" <jamie.riden () gmail com>]

On 09/01/2008, GMail <mayur100 () gmail com> wrote:
> focus-ids,
>
>         How effective are signature based IDS/IPS systems on text based
> protocols which involves grammar like PL/SQL. Using PL/SQL I can write same
> query with different ways and different constructs that leads to different
> query patterns. So does not that mean stateless signature based IDS/IPS
> are useless for database servers, etc.

As you say, a Network IDS cannot do a good job of determining 'good'
SQL from 'bad' SQL in the general case, but then it's not really
designed to do that.

In a typical situation, you would have your DB server firewalled off
from all but a few hosts - typically your front-end servers. You make
sure the front-end servers are using the least privileges possible to
access the DB. Then you can create your IDS rules so that it alerts
you to attempted accesses to the DB that don't fit in with your
design. E.g. beware of large flows going from the DB server outside
your company, connection attempts to the DB server from outside your
company, lots of password guesses from the front-end servers to the DB
server.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------