Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ?

[Martin Holste <mcholste () gmail com>]

Rick,

Thanks very much for weighing in on this thread.

> About our IPS testing, there were some questions about attack surface. Our
> attack set includes exploits that return live shells against > 1200 CVSS 7+
> vulns, and growing. So most of our content is relevant to typical
> enterprises. And this is the largest set of vulns in any test (10x the other
> labs). Includes client and server attacks against all major OS and apps and
> patch levels.  Less mainstream OS & apps? This is where custom testing
> becomes important. Lots of methodology info on our site. But then you need
> the right tools, vulnerable hosts and exploits…

That's great but sounds very server-exploit focused.  Sure, you
probably have a lot of client-side exploits in there, but if you were
to read through the engine discussions on this list for the last year,
you'll find that the majority of them are regarding a combination of
the stream preproc (which I'm sure NSS does an excellent job testing)
and the HTTP preproc (which I'm not so sure you do a good job at
testing).  Specifically, I'm a lot less concerned with packet
fragmentation and flow reversal than I am making sure that a piece of
an HTTP header ends up in the right buffer so the correct signature
fires.

My team focuses primarily on hunting malware-infected machines, which
means that the vast majority of our actionable alerts are on HTTP GET
and POST requests to bad guy sites.  On any given day, our users have
about a 1% chance of being subjected to an ad-banner-based browser
exploit.  Of these hundreds of daily exploit attempts, less than 1%
succeed all the way to check-in.  As such, we don't have resources to
worry about exploits, and frankly we don't care.  We already know the
client is going to get attacked at least quarterly.  We focus on
finding the successful infections so we can nuke them from orbit
before they cause problems.

So my question to you is this: what is NSS doing in its testing
batteries to evaluate how well products are finding malware check-ins
and/or data exfiltration versus exploitation?

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users