IDS mailing list archives
Re: signature based IDS/IPS effectiveness
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 10 Jan 2008 12:24:52 -0600
--On Thursday, January 10, 2008 15:32:28 +0530 GMail <mayur100 () gmail com> wrote:
Thanks Jamie and Stefano for noticing my issues, 90% of commercial database specific IDS/IPS systems do "signature matching" exploit detection. They are stateless and mostly based on snort. So does this mean that all they can do is stop public exploits. If someone modifies the exploit then the signatures will fail and by that means the appliances too ?
That depends greatly on the signature. All signatures are not created equally. For example, using snort it is possible to write a signature that checks first for the protocol, then the application, then the specific function and then the size of the data. That type of signature will never false positive and will always trigger on a buffer overflow regardless of the content of the data.
Many people think of signatures as simple regex that can be easily defeated by using hex or base64 or some other form of obscuration. Snort has ability to normalize all those things *before* the regex is run, defeating the attempt to hide what's going on.
Limiting privileges to minimum required levels and installing minimum required of modules on databases will definitely reduce the risk ratio, but is it sufficient?
There are certain basic principles that should be followed when setting up and configuring databases: 1) Always only listen on the networks that are needed. E.g. db on the same box as web server? Listen on a socket or localhost only.
2) Only grant access to a db for a user @ a specifc host.3) Never grant more access than is needed to do the job. Most web apps probably will work fine with select,insert and update permissions only.
4) Don't use the same user account for multiple dbs. 5) Don't put credentials in an other-than-db readable text file.
What about vulnerabilities by which normal user can get superuser privileges or carry out DOS on database services. Is there any way to stop these kinds of attacks? Which would be the best available database security product to handle all these issues?
That depends greatly on what OS, applications and db you're using. Mod_security is a good choice for apache, for example, and can stop db attacks before they even get to the web server (much less the backend.)
-- Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Preventing layer 3/4 evasions Martin Roesch (Jan 07)
- Re: Preventing layer 3/4 evasions Jeremy Bennett (Jan 09)
- <Possible follow-ups>
- RE: Preventing layer 3/4 evasions Mike Barkett (Jan 07)
- signature based IDS/IPS effectiveness GMail (Jan 09)
- Re: signature based IDS/IPS effectiveness Stefano Zanero (Jan 09)
- Looking for feedback on anomaly-based IDS systems Libershal, David M. (Jan 09)
- Re: Looking for feedback on anomaly-based IDS systems p1g (Jan 10)
- Re: signature based IDS/IPS effectiveness Jamie Riden (Jan 10)
- Re: signature based IDS/IPS effectiveness GMail (Jan 10)
- RE: signature based IDS/IPS effectiveness Nelson Brito (Jan 10)
- Re: signature based IDS/IPS effectiveness Paul Schmehl (Jan 10)
- signature based IDS/IPS effectiveness GMail (Jan 09)
- Message not available
- Re: signature based IDS/IPS effectiveness Jamie Riden (Jan 10)