The usefullness of IDSes (Was: Re: [Full-Disclosure] Is Marty Lying?)

From: Peter Busser (peter_at_trusteddebian.org)
Date: 09/23/03

  • Next message: T.H: "Re: [Full-Disclosure] ColdFusion cross-site scripting security vulnerability of an error page" 
    To: full-disclosure@lists.netsys.com
Date: Tue, 23 Sep 2003 08:35:53 +0200

    Hi!

    > "Detect intrusions" - if you can set an IDS signature for something, then
    > you shouldn't be vulnerable to it. So the functionality of IDS is to tell
    > you when you've been compromised by six-month old public vulnerabilities
    > that dvdman has finally gotten his hands on an exploit for, that you never
    > bothered to patch for?
    >
    > Useless.

    And what if you use an IDS for checking a security policy? E.g. if you have a
    special server that is only used by the accounting department and you set up
    rules to detect connections to that server coming from other departments?

    Or to monitor port scanning probes on the network. A system shouldn't be
    vulnerable to a probe. But it could mean the prelude to an attack.

    Of course these things could be detected by other means as well.

    Groetjes,
    Peter Busser 

    -- 
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: T.H: "Re: [Full-Disclosure] ColdFusion cross-site scripting security vulnerability of an error page"

    Relevant Pages

    • RE: VA/IDS Integration (Was: RE: re[2]: Intrusion Risk Assessment)
      ... integration work done by the security pros and not from the ... send high-priority vulnerabilities directly to their RealSecure console ... IDS results), there is also a lot of potential value in building the ... ** ISS Site Protector can fuse ISS Scanner and ISS Real Secure ...
      (Focus-IDS)
    • Re: NIPS Vendors explicit answer
      ... >If you confine your thinking to statistical anomaly detection, ... Regarding correlating VA with IDS - I agree with you regarding the ... which includes attacks that are irrelavent from an IPS perspective (like ... >vulnerabilities for certain systems. ...
      (Focus-IDS)
    • Re: [Full-Disclosure] Is Marty Lying?
      ... "if you can set an IDS signature for something, ... Useless." ... I don't know what kind of company you do security for, ... you when you've been compromised by six-month old public vulnerabilities ...
      (Full-Disclosure)
    • RE: Help in evaluating Inline IDS/IPS solution
      ... > Do IDS vendors really test the signature against the vulnerable ... Examples include typical CERT advisories and vendor patch advisories - ... this is how new vulnerabilities can be found too! ... Some of the most effective IDS techniques ...
      (Focus-IDS)
    • Re: IDS testing methodologies
      ... game over ... ... one should spend the same time, to harden the servers to prevent thousands ... - there is a limited number of major vulnerabilities and there are endless ... have to run those tests thru your IDS to see that it got flagged by your IDS ...
      (Focus-IDS)