Full Disclosure mailing list archives
Re: Attack pattern selection criteria for IPS products
From: Valdis.Kletnieks () vt edu
Date: Thu, 08 Oct 2009 16:06:30 -0400
On Fri, 09 Oct 2009 00:47:24 +0530, srujan said:
What is the vulnerability selection criteria of Tipping Point, Juniper IPS products. Is it covering each and every CVE ID or is it selecting particular kind of attacks. If so what is selection criteria (cvss score or severity level or most publicly exploited)
If the answer isn't "customer network admin selects it", the products are broken and brain damaged. Different sites have different security stances, and different opinions regarding the trade-off between the added security benefit and the throughput and latency hits you take. Even within a site, the trade-offs may vary. I have some machines that are actually air-gapped, some that are heavily firewalled, and some that are lightly firewalled - and there's probably some Snort sensors and honeypots too.. ;) If you're asking for "what pre-canned detection rules they come with", it's probably "all the known vulns that we can figure out how to write a Snort rule that doesn't suck resources". :) OK, maybe they don't use Snort - but the same problems of filter expressiveness, whether/how to do a regexp, and so on, are faced by all IDS/IPS systems. If you need to do a regexp backref, it's going to either not be part of the available toolset, or it's going to suck at line rate on high speed interfaces. Matching '\((134|934){3,5})\(foo|bar)(more ugly)(\1|\2)' is going to suck whether it's Snort or silicon.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Attack pattern selection criteria for IPS products srujan (Oct 08)
- Re: Attack pattern selection criteria for IPS products Valdis . Kletnieks (Oct 08)
- Re: Attack pattern selection criteria for IPS products srujan (Oct 09)
- Re: Attack pattern selection criteria for IPS products Rohit Patnaik (Oct 09)
- Re: Attack pattern selection criteria for IPS products James Matthews (Oct 11)
- Re: Attack pattern selection criteria for IPS products srujan (Oct 09)
- Re: Attack pattern selection criteria for IPS products Valdis . Kletnieks (Oct 08)