Snort mailing list archives
Re: flow_depth and WMF exploit
From: Jason <security () brvenik com>
Date: Thu, 05 Jan 2006 12:59:39 -0500
Frank Knobbe wrote:
On Thu, 2006-01-05 at 12:11 -0500, Jason wrote:At no point in time was an IDS/IPS _designed_ to handle client side attacks or the myriad of options for encodings, file formats, compression, embedding... that exist on the client side. This function has and will remain a responsibility of software on the host. Traditionally this has been AV and unfortunately they have been failing to respond effectively.Please don't put words into my mouth. I didn't say this at all. Matter the fact, I said the same thing you said in a different email.
I didn't intend to put words in your mouth at all. I am stating the it is unfortunate that AV is failing to respond effectively. I think that as a result of this people are searching for other things that can help them out.
The assertion that IPS is less capable of performing the task it is designed for is fallacious and only highlights the complete lack of understanding in the market of the technology.Not quite. IPSes that claim to inspect traffic at wire speed (that includes server responses), are less capable of performing the inspection tasks at higher speeds when the workload is increased by also having to decode the data first from various encoding formats. (Proxies are better suited for that since they were designed from day one as a accept-and-forward type device.)
This is rather obvious isn't it? Your statement also further highlights that there is a complete lack of understanding in the market. That any vendor claims to be able to perform this at wire speed, handling all or even the most common potential encodings and formats, and actually markets the technology that way is a disservice. That you echo these thoughts is good. That you seemingly buy into the methodology and think it is a tool that is appropriate is not good.
I'm not talking about your rate-limiters and profile based IPSes. Actually, we didn't even venture into the I_P_S arena at all, and purposefully so. Please don't lead us there, especially not with dismissing comments like above.
The comment is not dismissive at all. IMHO it is factual and representative of the misconception people have of the appropriate use of technology.
-Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flow_depth and WMF exploit Jason Haar (Jan 03)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 04)
- Re: flow_depth and WMF exploit purplebag (Jan 04)
- Re: flow_depth and WMF exploit Jason Haar (Jan 04)
- Re: flow_depth and WMF exploit Matthew Watchinski (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Jason Haar (Jan 05)
- Re: flow_depth and WMF exploit purplebag (Jan 04)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 04)
- <Possible follow-ups>
- RE: flow_depth and WMF exploit Ron Jenkins (Jan 03)
- Re: flow_depth and WMF exploit Jason Haar (Jan 03)
- Re: flow_depth and WMF exploit Brian Caswell (Jan 04)
- Re: flow_depth and WMF exploit Tom Le (Jan 03)
- Re: flow_depth and WMF exploit Jason Haar (Jan 03)