Re: Full-disclosure] Why the IPS product designers

[Nelson Brito <nbrito () sekure org>]

Ohh.. I just forgot to send you some intereting links:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
http://en.wikipedia.org/wiki/Intrusion_detection_system
http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
http://en.wikipedia.org/wiki/Network_intrusion_detection_system

Just to educate you! 8)

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG® SQL Fingerprint™ downloading it  
from Google Code (http://code.google.com/p/mssqlfp/) or from  
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an  iPhone wireless device. Please, forgive any potential  
misspellings!

On Jun 2, 2010, at 3:35 AM, "Cor Rosielle" <cor () outpost24 com> wrote:

> I would say: an host IPS could be considered, even if there is a  
> network
> IPS. If it is a wise decision to spent your money or use your  
> hardware for
> this, depends from case to case. And I might even add: if someone  
> tells you
> different, he must be selling something.
>
> Regards,
> Cor
>
>
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk [mailto:full-
> > disclosure-bounces () lists grok org uk] On Behalf Of Srinivas Naik
> > Sent: dinsdag 1 juni 2010 21:14
> > To: full-disclosure () lists grok org uk
> > Subject: [Full-disclosure] Full-disclosure] Why the IPS product
> > designers
> >
> > Mr. Nelson has brought a good point, Host IPS should also be running
> > even if
> > there is Nework IPS.
> >
> > There are Client end Attacks which has got many Evasion techniques  
> > and
> > almost the recent research presents us the proof of such Attacks.
> > Apart these there exist other exploits/malware which cannot be  
> > detected
> > over
> > the network.
> >
> > Regards,
> > Srinivas Naik (Certified Hacker and Forensic Investigator)
> > IPS Evaluator
> > http://groups.google.com/group/nforceit
> >
> > On Tue, Jun 1, 2010 at 9:16 PM,
> > <full-disclosure-request () lists grok org uk>wrote:
> >
> > > Send Full-Disclosure mailing list submissions to
> > >       full-disclosure () lists grok org uk
> > >
> > > To subscribe or unsubscribe via the World Wide Web, visit
> > >       https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> > > or, via email, send a message with subject or body 'help' to
> > >       full-disclosure-request () lists grok org uk
> > >
> > > You can reach the person managing the list at
> > >       full-disclosure-owner () lists grok org uk
> > >
> > > When replying, please edit your Subject line so it is more specific
> > > than "Re: Contents of Full-Disclosure digest..."
> > >
> > >
> > > Note to digest recipients - when replying to digest posts, please
> > trim your
> > > post appropriately. Thank you.
> > >
> > >
> > > Today's Topics:
> > >
> > >  1. Re: Why the IPS product designers concentrate on  server side
> > >     protection? why they are missing client protection (Nelson
> > Brito)
> > >  2. Re: Why the IPS product designers concentrate on  server side
> > >     protection? why they are missing client protection
> > >     (Valdis.Kletnieks () vt edu)
> > >  3. DoS vulnerability in Internet Explorer (MustLive)
> > >  4. Re: Why the IPS product designers concentrate on  server side
> > >     protection? why they are missing client protection (rajendra
> > prasad)
> > >  5. Re: Why the IPS product designers concentrate     on      server
> > side
> > >     protection? why they are missing client protection (Cor
> > Rosielle)
> > >  6. Re: Why the IPS product designers concentrate on  server side
> > >     protection? why they are missing client protection (Nelson
> > Brito)
> > >  7. Re: Why the IPS product designers concentrate on  server side
> > >     protection? why they are missing client protection (Nelson
> > Brito)
> > >  8. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
> > >  9. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
> > > 10. Re: Why the IPS product designers concentrate on  server side
> > >     protection? why they are missing client protection (Cor
> > Rosielle)
> > > 11. Re: DoS vulnerability in Internet Explorer (PsychoBilly)
> > > 12. Re: Why the IPS product designers concentrate on  server side
> > >     protection? why they are missing client protection (Nelson
> > Brito)
> > > 13. Onapsis Research Labs: Onapsis Bizploit - The opensource ERP
> > >     Penetration Testing framework (Onapsis Research Labs)
> > > 14. Re: The_UT is repenting (T Biehn)
> > >
> > >
> > > --- 
> > > ------------------------------------------------------------------
> > -
> > > Message: 1
> > > Date: Tue, 1 Jun 2010 08:50:05 -0300
> > > From: Nelson Brito <nbrito () sekure org>
> > > Subject: Re: [Full-disclosure] Why the IPS product designers
> > >       concentrate on  server side protection? why they are missing
> > client
> > >       protection
> > > To: rajendra prasad <rajendra.palnaty () gmail com>
> > > Cc: "full-disclosure () lists grok org uk"
> > >       <full-disclosure () lists grok org uk>
> > > Message-ID: <E01DF83F-4EB0-4212-8866-76DDB5C3B55B () sekure org>
> > > Content-Type: text/plain;       charset=utf-8;  format=flowed;
> > delsp=yes
> > > You're missing one point: Host IPS MUST be deployed with any Network
> > > Security (Firewalls os NIPSs).
> > >
> > > No security solution/technology is the miracle protection alone, so
> > > that's the reason everybody is talking about defense in depth.
> > >
> > > Cheers.
> > >
> > > Nelson Brito
> > > Security Researcher
> > > http://fnstenv.blogspot.com/
> > >
> > > Please, help me to develop the ENG? SQL Fingerprint? downloading it
> > > from Google Code (http://code.google.com/p/mssqlfp/) or from
> > > Sourceforge (https://sourceforge.net/projects/mssqlfp/).
> > >
> > > Sent on an ? iPhone wireless device. Please, forgive any potential
> > > misspellings!
> > >
> > > On Jun 1, 2010, at 4:38 AM, rajendra prasad
> > > <rajendra.palnaty () gmail com> wrote:
> > >
> > > > Hi List,
> > > >
> > > > I am putting my thoughts on this, please share your thoughts,
> > > > comments.
> > > >
> > > > Request length is less than the response length.So, processing
> > small
> > > > amount of data is better than of processing bulk data. Response may
> > > > have encrypted data. Buffering all the client-server transactions
> > > > and validating signatures on them is difficult. Even though
> > > > buffered, client data may not be in the plain text. Embedding all
> > > > the client encryption/decryption process on the fly is not
> > possible,
> > > > even though ips gathered key values of clients.Most of the client
> > > > protection is done by anti-virus. So, concentrating client attacks
> > > > at IPS level is not so needed.
> > > >
> > > >
> > > > Thanks
> > > > Rajendra
> > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> > >
> > > ------------------------------
> > >
> > > Message: 2
> > > Date: Tue, 01 Jun 2010 08:34:22 -0400
> > > From: Valdis.Kletnieks () vt edu
> > > Subject: Re: [Full-disclosure] Why the IPS product designers
> > >       concentrate on  server side protection? why they are missing
> > client
> > >       protection
> > > To: rajendra prasad <rajendra.palnaty () gmail com>
> > > Cc: full-disclosure () lists grok org uk
> > > Message-ID: <14206.1275395662@localhost>
> > > Content-Type: text/plain; charset="us-ascii"
> > >
> > > On Tue, 01 Jun 2010 13:08:32 +0530, rajendra prasad said:
> > >
> > > > Request length is less than the response length.So, processing
> > small
> > > amount
> > > > of data is better than of processing bulk data. Response may have
> > > encrypted
> > > > data. Buffering all the client-server transactions and validating
> > > signatures
> > > > on them is difficult.
> > >
> > > All of that is total wanking.  The *real* reason why IPS product
> > designers
> > > concentrate on servers is because hopefully the server end is run by
> > some
> > > experienced people with a clue, and maybe even hardened to last more
> > than
> > > 35 seconds when a hacker attacks.  Meanwhile, if anybody designed an
> > IPS
> > > for
> > > the client end, it would just get installed on an end-user PC  
> > > running
> > > Windows,
> > > where it will have all the issues and work just as well as any other
> > > anti-malware software on an end-user PC.
> > >
> > > Oh - and there's also the little detail that a site is more likely  
> > > to
> > buy
> > > *one* software license to run on their web server (or whatever),
> > rather
> > > than
> > > the hassle of buying and administering 10,000 end-user licenses.
> > > Especially
> > > when an IPS on the client end doesn't actually tell you much about
> > attacks
> > > against the valuable target (the server) from machines you haven't
> > > installed
> > > the end-user IPS on (like the entire rest of the Internet).
> > > -------------- next part --------------
> > > A non-text attachment was scrubbed...
> > > Name: not available
> > > Type: application/pgp-signature
> > > Size: 227 bytes
> > > Desc: not available
> > > Url :
> > > http://lists.grok.org.uk/pipermail/full-
> > disclosure/attachments/20100601/0896c76b/attachment-0001.bin
> > > ------------------------------
> > >
> > > Message: 3
> > > Date: Tue, 1 Jun 2010 15:42:58 +0300
> > > From: "MustLive" <mustlive () websecurity com ua>
> > > Subject: [Full-disclosure] DoS vulnerability in Internet Explorer
> > > To: <full-disclosure () lists grok org uk>
> > > Message-ID: <005e01cb0188$162059b0$010000c0@ml>
> > > Content-Type: text/plain; format=flowed; charset="windows-1251";
> > >       reply-type=response
> > >
> > > Hello Full-Disclosure!
> > >
> > > I want to warn you about Denial of Service vulnerability in Internet
> > > Explorer. Which I already disclosed at my site in 2008 (at
> > 29.09.2008). But
> > > recently I made new tests concerning this vulnerability, so I  
> > > decided
> > to
> > > remind you about it.
> > >
> > > I know this vulnerability for a long time - it's well-known DoS in
> > IE. It
> > > works in IE6 and after release of IE7 I hoped that Microsoft fixed
> > this
> > > hole
> > > in seventh version of the browser. But as I tested at 29.09.2008,  
> > > IE7
> > was
> > > also vulnerable to this attack. And as I tested recently, IE8 is  
> > > also
> > > vulnerable to this attack.
> > >
> > > Also I informed Microsoft at 01.10.2008 about it, but they ignored
> > and
> > > didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor
> > in IE8.
> > > That time I published about this vulnerability at SecurityVulns
> > > (http://securityvulns.com/Udocument636.html).
> > >
> > > DoS:
> > >
> > > Vulnerability concerned with handling by browser of expression in
> > styles,
> > > which leads to blocking of work of IE.
> > >
> > > http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html
> > >
> > > Vulnerable versions are Internet Explorer 6 (6.0.2900.2180),  
> > > Internet
> > > Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385)  
> > > and
> > > previous versions.
> > >
> > > To Susan Bradley from Bugtraq:
> > >
> > > This is one of those cases, which I told you before, when browser
> > vendors
> > > ignore to fix DoS holes in their browsers for many years.
> > >
> > > Best wishes & regards,
> > > MustLive
> > > Administrator of Websecurity web site
> > > http://websecurity.com.ua
> > >
> > >
> > >
> > > ------------------------------
> > >
> > > Message: 4
> > > Date: Tue, 1 Jun 2010 18:28:03 +0530
> > > From: rajendra prasad <rajendra.palnaty () gmail com>
> > > Subject: Re: [Full-disclosure] Why the IPS product designers
> > >       concentrate on  server side protection? why they are missing
> > client
> > >       protection
> > > To: full-disclosure () lists grok org uk
> > > Message-ID:
> > >       <AANLkTinFeCKoKUNI59k2citWgTJlytqjRiZ8Ze8oM1rp () mail gmail com>
> > > Content-Type: text/plain; charset="iso-8859-1"
> > >
> > > Hi List,
> > >
> > > I have started this discussion with respect to Network IPS.
> > >
> > > Thanks
> > > Rajendra
> > >
> > > On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad
> > > <rajendra.palnaty () gmail com>wrote:
> > >
> > > > Hi List,
> > > >
> > > > I am putting my thoughts on this, please share your thoughts,
> > comments.
> > > > Request length is less than the response length.So, processing
> > small
> > > amount
> > > > of data is better than of processing bulk data. Response may have
> > > encrypted
> > > > data. Buffering all the client-server transactions and validating
> > > signatures
> > > > on them is difficult. Even though buffered, client data may not be
> > in the
> > > > plain text. Embedding all the client encryption/decryption process
> > on the
> > > > fly is not possible, even though ips gathered key values of
> > clients.Most
> > > of
> > > > the client protection is done by anti-virus. So, concentrating
> > client
> > > > attacks at IPS level is not so needed.
> > > >
> > > >
> > > > Thanks
> > > > Rajendra
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL:
> > > http://lists.grok.org.uk/pipermail/full-
> > disclosure/attachments/20100601/0cb18940/attachment-0001.html
> > > ------------------------------
> > >
> > > Message: 5
> > > Date: Tue, 1 Jun 2010 14:52:51 +0200
> > > From: "Cor Rosielle" <cor () outpost24 com>
> > > Subject: Re: [Full-disclosure] Why the IPS product designers
> > >       concentrate     on      server side protection? why they are
> > missing
> > > client
> > >       protection
> > > To: "'Nelson Brito'" <nbrito () sekure org>
> > > Cc: full-disclosure () lists grok org uk
> > > Message-ID: <003001cb0189$5962ddf0$0c2899d0$@com>
> > > Content-Type: text/plain;       charset="UTF-8"
> > >
> > > Nelson,
> > >
> > > > You're missing one point: Host IPS MUST be deployed with any
> > Network
> > > > Security (Firewalls os NIPSs).
> > > Please be aware this is a risk decision and not a fact. I don't use
> > an host
> > > IPS and no anti Virus either. Still I'm sure my laptop is perfectly
> > safe.
> > > This is because I do critical thinking about security measures and
> > don't
> > > copy behavior of others (who often don't think for themselves and
> > just
> > > copies other peoples behavior). Please note I'm not saying you're  
> > > not
> > > thinking. If you did some critical thinking and an host IPS is a  
> > > good
> > > solution for you, then that's OK> It just doesn't mean it is a good
> > solution
> > > for everybody else and everybody MUST deploy an host IPS.
> > >
> > > > No security solution/technology is the miracle protection alone,
> > > That's true.
> > >
> > > > so that's the reason everybody is talking about defense in depth.
> > > Defense in depth is often used for another line of a similar defense
> > > mechanism as the previous already was. Different layers of defense
> > works
> > > best if the defense mechanism differ. So if you're using anti virus
> > software
> > > (which gives you an authentication control and an alarm control
> > according to
> > > the OSSTMM), then an host IDS is not the best additional security
> > measure
> > > (because this also gives you an authentication and an alarm  
> > > control).
> > > This would also be a risk decision, but based on facts and the rules
> > > defined in the OSSTMM and not based on some marketing material. You
> > should
> > > give it a try.
> > >
> > > Regards,
> > > Cor Rosielle
> > >
> > > w: www.lab106.com
> > >
> > >
> > >
> > > ------------------------------
> > >
> > > Message: 6
> > > Date: Tue, 1 Jun 2010 10:27:48 -0300
> > > From: Nelson Brito <nbrito () sekure org>
> > > Subject: Re: [Full-disclosure] Why the IPS product designers
> > >       concentrate on  server side protection? why they are missing
> > client
> > >       protection
> > > To: rajendra prasad <rajendra.palnaty () gmail com>
> > > Cc: "full-disclosure () lists grok org uk"
> > >       <full-disclosure () lists grok org uk>
> > > Message-ID: <76444513-375E-472C-A3CA-8F4A9776EDD4 () sekure org>
> > > Content-Type: text/plain; charset="utf-8"
> > >
> > > Okay, but why did you mention AV as a client-side protection?
> > >
> > > It leads to a discussion about client-side protection, anyways.
> > >
> > > Cheers.
> > >
> > > Nelson Brito
> > > Security Researcher
> > > http://fnstenv.blogspot.com/
> > >
> > > Please, help me to develop the ENG? SQL Fingerprint? downloading it
> > > from Google Code (http://code.google.com/p/mssqlfp/) or from
> > > Sourceforge (https://sourceforge.net/projects/mssqlfp/).
> > >
> > > Sent on an ? iPhone wireless device. Please, forgive any potential
> > > misspellings!
> > >
> > > On Jun 1, 2010, at 9:58 AM, rajendra prasad
> > > <rajendra.palnaty () gmail com> wrote:
> > >
> > > > Hi List,
> > > >
> > > > I have started this discussion with respect to Network IPS.
> > > >
> > > > Thanks
> > > > Rajendra
> > > >
> > > > On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad <
> > > rajendra.palnaty () gmail com
> > > > > wrote:
> > > > Hi List,
> > > >
> > > > I am putting my thoughts on this, please share your thoughts,
> > > > comments.
> > > >
> > > > Request length is less than the response length.So, processing
> > small
> > > > amount of data is better than of processing bulk data. Response may
> > > > have encrypted data. Buffering all the client-server transactions
> > > > and validating signatures on them is difficult. Even though
> > > > buffered, client data may not be in the plai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/