Full Disclosure mailing list archives
Re: Attack pattern selection criteria for IPS products
From: James Matthews <nytrokiss () gmail com>
Date: Sun, 11 Oct 2009 20:07:41 -0400
Yes they do all look at the same common holes and flag them but as for detection everyone has a different method. On Fri, Oct 9, 2009 at 1:16 PM, Rohit Patnaik <quanticle () gmail com> wrote:
Why would Cisco, Juniper, etc. maintain the signature sets? Presumably, each company maintains its own set of allow/deny rules. --Rohit Patnaik 2009/10/9 srujan <srujan82 () gmail com>:I agree with your word let "customer network admin selects it". ButTipping Point, Juniper, Cisco and Snort will have a wide range of customers, and maintaining different signature set for different Orgs is a big headache.All these guys are maintaining 95% to 99% detection coverage at NSStesting. That's why i asked about the selection criteria.On Fri, Oct 9, 2009 at 1:36 AM, <Valdis.Kletnieks () vt edu> wrote:On Fri, 09 Oct 2009 00:47:24 +0530, srujan said:What is the vulnerability selection criteria of Tipping Point, JuniperIPSproducts. Is it covering each and every CVE ID or is it selecting particularkind ofattacks. If so what is selection criteria (cvss score or severitylevel ormost publicly exploited)If the answer isn't "customer network admin selects it", the productsarebroken and brain damaged. Different sites have different securitystances,and different opinions regarding the trade-off between the addedsecuritybenefit and the throughput and latency hits you take. Even within a site, the trade-offs may vary. I have some machines that are actually air-gapped, some that are heavily firewalled, and some that are lightly firewalled - and there's probably some Snort sensors andhoneypotstoo.. ;) If you're asking for "what pre-canned detection rules they come with",it'sprobably "all the known vulns that we can figure out how to write aSnortrule that doesn't suck resources". :) OK, maybe they don't use Snort - but the same problems of filter expressiveness, whether/how to do a regexp, and so on, are faced by allIDS/IPSsystems. If you need to do a regexp backref, it's going to either notbe partof the available toolset, or it's going to suck at line rate on highspeedinterfaces. Matching '\((134|934){3,5})\(foo|bar)(more ugly)(\1|\2)' isgoingto suck whether it's Snort or silicon._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- http://www.goldwatches.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Attack pattern selection criteria for IPS products srujan (Oct 08)
- Re: Attack pattern selection criteria for IPS products Valdis . Kletnieks (Oct 08)
- Re: Attack pattern selection criteria for IPS products srujan (Oct 09)
- Re: Attack pattern selection criteria for IPS products Rohit Patnaik (Oct 09)
- Re: Attack pattern selection criteria for IPS products James Matthews (Oct 11)
- Re: Attack pattern selection criteria for IPS products srujan (Oct 09)
- Re: Attack pattern selection criteria for IPS products Valdis . Kletnieks (Oct 08)