Full Disclosure mailing list archives
Re: Full-disclosure] Why the IPS product designers
From: Nelson Brito <nbrito () sekure org>
Date: Wed, 2 Jun 2010 11:12:48 -0300
Ohh.. I just forgot to send you some intereting links: http://en.wikipedia.org/wiki/Intrusion_prevention_system http://en.wikipedia.org/wiki/Intrusion_detection_system http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system http://en.wikipedia.org/wiki/Network_intrusion_detection_system Just to educate you! 8) Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Please, help me to develop the ENG® SQL Fingerprint™ downloading it from Google Code (http://code.google.com/p/mssqlfp/) or from Sourceforge (https://sourceforge.net/projects/mssqlfp/). Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jun 2, 2010, at 3:35 AM, "Cor Rosielle" <cor () outpost24 com> wrote:
I would say: an host IPS could be considered, even if there is a network IPS. If it is a wise decision to spent your money or use your hardware for this, depends from case to case. And I might even add: if someone tells you different, he must be selling something. Regards, Cor-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] On Behalf Of Srinivas Naik Sent: dinsdag 1 juni 2010 21:14 To: full-disclosure () lists grok org uk Subject: [Full-disclosure] Full-disclosure] Why the IPS product designers Mr. Nelson has brought a good point, Host IPS should also be running even if there is Nework IPS. There are Client end Attacks which has got many Evasion techniques and almost the recent research presents us the proof of such Attacks. Apart these there exist other exploits/malware which cannot be detected over the network. Regards, Srinivas Naik (Certified Hacker and Forensic Investigator) IPS Evaluator http://groups.google.com/group/nforceit On Tue, Jun 1, 2010 at 9:16 PM, <full-disclosure-request () lists grok org uk>wrote:Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, pleasetrim yourpost appropriately. Thank you. Today's Topics: 1. Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection (NelsonBrito)2. Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection (Valdis.Kletnieks () vt edu) 3. DoS vulnerability in Internet Explorer (MustLive) 4. Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection (rajendraprasad)5. Re: Why the IPS product designers concentrate on serversideprotection? why they are missing client protection (CorRosielle)6. Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection (NelsonBrito)7. Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection (NelsonBrito)8. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie) 9. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie) 10. Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection (CorRosielle)11. Re: DoS vulnerability in Internet Explorer (PsychoBilly) 12. Re: Why the IPS product designers concentrate on server side protection? why they are missing client protection (NelsonBrito)13. Onapsis Research Labs: Onapsis Bizploit - The opensource ERP Penetration Testing framework (Onapsis Research Labs) 14. Re: The_UT is repenting (T Biehn) --- -------------------------------------------------------------------Message: 1 Date: Tue, 1 Jun 2010 08:50:05 -0300 From: Nelson Brito <nbrito () sekure org> Subject: Re: [Full-disclosure] Why the IPS product designers concentrate on server side protection? why they are missingclientprotection To: rajendra prasad <rajendra.palnaty () gmail com> Cc: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk> Message-ID: <E01DF83F-4EB0-4212-8866-76DDB5C3B55B () sekure org> Content-Type: text/plain; charset=utf-8; format=flowed;delsp=yesYou're missing one point: Host IPS MUST be deployed with any Network Security (Firewalls os NIPSs). No security solution/technology is the miracle protection alone, so that's the reason everybody is talking about defense in depth. Cheers. Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Please, help me to develop the ENG? SQL Fingerprint? downloading it from Google Code (http://code.google.com/p/mssqlfp/) or from Sourceforge (https://sourceforge.net/projects/mssqlfp/). Sent on an ? iPhone wireless device. Please, forgive any potential misspellings! On Jun 1, 2010, at 4:38 AM, rajendra prasad <rajendra.palnaty () gmail com> wrote:Hi List, I am putting my thoughts on this, please share your thoughts, comments. Request length is less than the response length.So, processingsmallamount of data is better than of processing bulk data. Response may have encrypted data. Buffering all the client-server transactions and validating signatures on them is difficult. Even though buffered, client data may not be in the plain text. Embedding all the client encryption/decryption process on the fly is notpossible,even though ips gathered key values of clients.Most of the client protection is done by anti-virus. So, concentrating client attacks at IPS level is not so needed. Thanks Rajendra _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/------------------------------ Message: 2 Date: Tue, 01 Jun 2010 08:34:22 -0400 From: Valdis.Kletnieks () vt edu Subject: Re: [Full-disclosure] Why the IPS product designers concentrate on server side protection? why they are missingclientprotection To: rajendra prasad <rajendra.palnaty () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <14206.1275395662@localhost> Content-Type: text/plain; charset="us-ascii" On Tue, 01 Jun 2010 13:08:32 +0530, rajendra prasad said:Request length is less than the response length.So, processingsmallamountof data is better than of processing bulk data. Response may haveencrypteddata. Buffering all the client-server transactions and validatingsignatureson them is difficult.All of that is total wanking. The *real* reason why IPS productdesignersconcentrate on servers is because hopefully the server end is run bysomeexperienced people with a clue, and maybe even hardened to last morethan35 seconds when a hacker attacks. Meanwhile, if anybody designed anIPSfor the client end, it would just get installed on an end-user PC running Windows, where it will have all the issues and work just as well as any other anti-malware software on an end-user PC. Oh - and there's also the little detail that a site is more likely tobuy*one* software license to run on their web server (or whatever),ratherthan the hassle of buying and administering 10,000 end-user licenses. Especially when an IPS on the client end doesn't actually tell you much aboutattacksagainst the valuable target (the server) from machines you haven't installed the end-user IPS on (like the entire rest of the Internet). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20100601/0896c76b/attachment-0001.bin------------------------------ Message: 3 Date: Tue, 1 Jun 2010 15:42:58 +0300 From: "MustLive" <mustlive () websecurity com ua> Subject: [Full-disclosure] DoS vulnerability in Internet Explorer To: <full-disclosure () lists grok org uk> Message-ID: <005e01cb0188$162059b0$010000c0@ml> Content-Type: text/plain; format=flowed; charset="windows-1251"; reply-type=response Hello Full-Disclosure! I want to warn you about Denial of Service vulnerability in Internet Explorer. Which I already disclosed at my site in 2008 (at29.09.2008). Butrecently I made new tests concerning this vulnerability, so I decidedtoremind you about it. I know this vulnerability for a long time - it's well-known DoS inIE. Itworks in IE6 and after release of IE7 I hoped that Microsoft fixedthishole in seventh version of the browser. But as I tested at 29.09.2008, IE7wasalso vulnerable to this attack. And as I tested recently, IE8 is also vulnerable to this attack. Also I informed Microsoft at 01.10.2008 about it, but they ignoredanddidn't fix it. They didn't fix the hole not in IE6, nor in IE7, norin IE8.That time I published about this vulnerability at SecurityVulns (http://securityvulns.com/Udocument636.html). DoS: Vulnerability concerned with handling by browser of expression instyles,which leads to blocking of work of IE. http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385) and previous versions. To Susan Bradley from Bugtraq: This is one of those cases, which I told you before, when browservendorsignore to fix DoS holes in their browsers for many years. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ------------------------------ Message: 4 Date: Tue, 1 Jun 2010 18:28:03 +0530 From: rajendra prasad <rajendra.palnaty () gmail com> Subject: Re: [Full-disclosure] Why the IPS product designers concentrate on server side protection? why they are missingclientprotection To: full-disclosure () lists grok org uk Message-ID: <AANLkTinFeCKoKUNI59k2citWgTJlytqjRiZ8Ze8oM1rp () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi List, I have started this discussion with respect to Network IPS. Thanks Rajendra On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad <rajendra.palnaty () gmail com>wrote:Hi List, I am putting my thoughts on this, please share your thoughts,comments.Request length is less than the response length.So, processingsmallamountof data is better than of processing bulk data. Response may haveencrypteddata. Buffering all the client-server transactions and validatingsignatureson them is difficult. Even though buffered, client data may not bein theplain text. Embedding all the client encryption/decryption processon thefly is not possible, even though ips gathered key values ofclients.Mostofthe client protection is done by anti-virus. So, concentratingclientattacks at IPS level is not so needed. Thanks Rajendra-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20100601/0cb18940/attachment-0001.html------------------------------ Message: 5 Date: Tue, 1 Jun 2010 14:52:51 +0200 From: "Cor Rosielle" <cor () outpost24 com> Subject: Re: [Full-disclosure] Why the IPS product designers concentrate on server side protection? why they aremissingclient protection To: "'Nelson Brito'" <nbrito () sekure org> Cc: full-disclosure () lists grok org uk Message-ID: <003001cb0189$5962ddf0$0c2899d0$@com> Content-Type: text/plain; charset="UTF-8" Nelson,You're missing one point: Host IPS MUST be deployed with anyNetworkSecurity (Firewalls os NIPSs).Please be aware this is a risk decision and not a fact. I don't usean hostIPS and no anti Virus either. Still I'm sure my laptop is perfectlysafe.This is because I do critical thinking about security measures anddon'tcopy behavior of others (who often don't think for themselves andjustcopies other peoples behavior). Please note I'm not saying you're not thinking. If you did some critical thinking and an host IPS is a good solution for you, then that's OK> It just doesn't mean it is a goodsolutionfor everybody else and everybody MUST deploy an host IPS.No security solution/technology is the miracle protection alone,That's true.so that's the reason everybody is talking about defense in depth.Defense in depth is often used for another line of a similar defense mechanism as the previous already was. Different layers of defenseworksbest if the defense mechanism differ. So if you're using anti virussoftware(which gives you an authentication control and an alarm controlaccording tothe OSSTMM), then an host IDS is not the best additional securitymeasure(because this also gives you an authentication and an alarm control). This would also be a risk decision, but based on facts and the rules defined in the OSSTMM and not based on some marketing material. Youshouldgive it a try. Regards, Cor Rosielle w: www.lab106.com ------------------------------ Message: 6 Date: Tue, 1 Jun 2010 10:27:48 -0300 From: Nelson Brito <nbrito () sekure org> Subject: Re: [Full-disclosure] Why the IPS product designers concentrate on server side protection? why they are missingclientprotection To: rajendra prasad <rajendra.palnaty () gmail com> Cc: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk> Message-ID: <76444513-375E-472C-A3CA-8F4A9776EDD4 () sekure org> Content-Type: text/plain; charset="utf-8" Okay, but why did you mention AV as a client-side protection? It leads to a discussion about client-side protection, anyways. Cheers. Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Please, help me to develop the ENG? SQL Fingerprint? downloading it from Google Code (http://code.google.com/p/mssqlfp/) or from Sourceforge (https://sourceforge.net/projects/mssqlfp/). Sent on an ? iPhone wireless device. Please, forgive any potential misspellings! On Jun 1, 2010, at 9:58 AM, rajendra prasad <rajendra.palnaty () gmail com> wrote:Hi List, I have started this discussion with respect to Network IPS. Thanks Rajendra On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad <rajendra.palnaty () gmail comwrote:Hi List, I am putting my thoughts on this, please share your thoughts, comments. Request length is less than the response length.So, processingsmallamount of data is better than of processing bulk data. Response may have encrypted data. Buffering all the client-server transactions and validating signatures on them is difficult. Even though buffered, client data may not be in the plai
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Full-disclosure] Why the IPS product designers Srinivas Naik (Jun 01)
- Re: Full-disclosure] Why the IPS product designers Cor Rosielle (Jun 01)
- Re: Full-disclosure] Why the IPS product designers Srinivas Naik (Jun 02)
- Re: Full-disclosure] Why the IPS product designers Nelson Brito (Jun 02)
- <Possible follow-ups>
- Re: Full-disclosure] Why the IPS product designers Nelson Brito (Jun 02)
- Re: Full-disclosure] Why the IPS product designers Cor Rosielle (Jun 01)