Full Disclosure mailing list archives
Re: Is Marty Lying?
From: Jeffrey.Stebelton () bisys com
Date: Mon, 22 Sep 2003 19:56:38 -0400
"if you can set an IDS signature for something, then you shouldn't be vulnerable to it..... Useless." I don't know what kind of company you do security for, but mine has these prevalent security holes, also known as users. My IDS not only looks for the external attacks, the guy banging away at my FTP servers with Grims or running Whisker against my Web servers, but it also looks for the BackOrfice'd PC inside calling home. You know, the one caused when the guy on the second floor went to www.freesexfor everyone.com and downloaded what he thought was a screensaver of the tootsie flavor of the month. IDS is noisy, and it requires analysis, and yes, you see a lot of attempts against things that are already patched. But it also shows you who's doing recon, and the stealthy ones are the dangerous ones. That'll be the guy finding the FTP server some developer reloaded and forgot to tell you about, which now has a nice selection of first-run BiTTorrent movies available for download. It'll also detect the hack in North Korea looking for a misconfigured firewall object with NetBIOS ports enabled. And if you're telling me your environment is 100% patched all the time, then I'd say you don't have a whole lot servers you're responsible for. Useless? Not here. Jeff S |---------+--------------------------------------> | | security snot | | | <booger () unixclan net> | | | Sent by: | | | full-disclosure-admin@lists| | | .netsys.com | | | | | | | | | 09/22/2003 05:13 PM | | | | |---------+--------------------------------------> >---------------------------------------------------------------------------------------------------------------| | | | To: "Gregory A. Gilliss" <ggilliss () netpublishing com> | | cc: Peter Busser <peter () trusteddebian org>, full-disclosure () lists netsys com | | Subject: Re: [Full-disclosure] Is Marty Lying? | >---------------------------------------------------------------------------------------------------------------| "Detect intrusions" - if you can set an IDS signature for something, then you shouldn't be vulnerable to it. So the functionality of IDS is to tell you when you've been compromised by six-month old public vulnerabilities that dvdman has finally gotten his hands on an exploit for, that you never bothered to patch for? Useless. ----------------------------------------------------------- "Whitehat by day, booger at night - I'm the security snot." - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - ----------------------------------------------------------- On Mon, 22 Sep 2003, Gregory A. Gilliss wrote:
Peter: Intrusion Detection systems are designed to detect intrusions. Period. No one AFAIK has yet developed the Intrusion Prediction system. If you have an alpha version lying around, pls respond with a link. I'm sure that you will quickly be deluged with download requests =;^) Reactive is the nature of the beast, a point that has been rehashed many many times here and elsewhere. No finite state machine can anticipate or detect the virus that I am right now writing, unless I foolishly make
part
of the binary match an existing sig. there will *always* be a latency between action and response. One of the things that people on this list do is attempt to assist each other in minimizing that latency. Now, if we could only get some of the vendors onboard >-) G On or about 2003.09.22 21:23:52 +0000, Peter Busser
(peter () trusteddebian org) said:
Hi!3) Why the fuck do people still thing signature-based IDS is
worthwhile?
Give us another solution. Are you saying anomoly based ids signatures
are
_worthwhile_?The problem with IDS systems is the same problem that currently
available
virus scanners have: They work reactive and not proactive. Making machines harder to break into and improve ways to enforce a
security
policy (e.g. by using Mandatory Access Control (MAC)) would be one way
to
proactively deal with security.-- Gregory A. Gilliss, CISSP Telephone: 1 650
872 2420
Computer Engineering E-mail:
greg () gilliss com
Computer Security ICQ:
123710561
Software Development WWW:
http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E
8C A3
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any other use of this information is strictly prohibited. If you have received this email in error please notify the system manager via email at mailadmin () bisys com and delete the file immediately. Thank you for your cooperation. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Is Marty Lying?, (continued)
- Re: Is Marty Lying? Paul Schmehl (Sep 22)
- Re: Is Marty Lying? Valdis . Kletnieks (Sep 22)
- The usefullness of IDSes (Was: Re: Is Marty Lying?) Peter Busser (Sep 23)
- RE: The usefullness of IDSes (Was: Re: Is Marty Lying?) Philippe Bogaerts (Sep 23)
- RE: The usefullness of IDSes (Was: Re: Is Marty Lying?) Cedric Blancher (Sep 23)
- Re: Is Marty Lying? Peter Busser (Sep 22)
- Re: Is Marty Lying? Shawn McMahon (Sep 22)
- Re: Is Marty Lying? Frank Knobbe (Sep 22)