Re: [Full-disclosure] Attack pattern selection criteria for IPS products
- From: James Matthews <nytrokiss@xxxxxxxxx>
- Date: Sun, 11 Oct 2009 20:07:41 -0400
Yes they do all look at the same common holes and flag them but as for
detection everyone has a different method.
On Fri, Oct 9, 2009 at 1:16 PM, Rohit Patnaik <quanticle@xxxxxxxxx> wrote:
Why would Cisco, Juniper, etc. maintain the signature sets?
Presumably, each company maintains its own set of allow/deny rules.
--Rohit Patnaik
2009/10/9 srujan <srujan82@xxxxxxxxx>:
I agree with your word let "customer network admin selects it". ButTipping Point, Juniper, Cisco and Snort will have a wide range of customers,
and maintaining different signature set for different Orgs is a big
headache.
testing. That's why i asked about the selection criteria.
All these guys are maintaining 95% to 99% detection coverage at NSS
IPS
On Fri, Oct 9, 2009 at 1:36 AM, <Valdis.Kletnieks@xxxxxx> wrote:
On Fri, 09 Oct 2009 00:47:24 +0530, srujan said:
What is the vulnerability selection criteria of Tipping Point, Juniper
kind ofproducts.
Is it covering each and every CVE ID or is it selecting particular
level orattacks. If so what is selection criteria (cvss score or severity
aremost publicly exploited)
If the answer isn't "customer network admin selects it", the products
stances,broken and brain damaged. Different sites have different security
securityand different opinions regarding the trade-off between the added
honeypotsbenefit and the throughput and latency hits you take.
Even within a site, the trade-offs may vary. I have some machines that
are actually air-gapped, some that are heavily firewalled, and some that
are lightly firewalled - and there's probably some Snort sensors and
it'stoo.. ;)
If you're asking for "what pre-canned detection rules they come with",
Snortprobably "all the known vulns that we can figure out how to write a
IDS/IPSrule that doesn't suck resources". :)
OK, maybe they don't use Snort - but the same problems of filter
expressiveness, whether/how to do a regexp, and so on, are faced by all
be partsystems. If you need to do a regexp backref, it's going to either not
speedof the available toolset, or it's going to suck at line rate on high
goinginterfaces. Matching '\((134|934){3,5})\(foo|bar)(more ugly)(\1|\2)' is
to suck whether it's Snort or silicon.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
http://www.goldwatches.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- References:
- [Full-disclosure] Attack pattern selection criteria for IPS products
- From: srujan
- Re: [Full-disclosure] Attack pattern selection criteria for IPS products
- From: Valdis . Kletnieks
- Re: [Full-disclosure] Attack pattern selection criteria for IPS products
- From: srujan
- Re: [Full-disclosure] Attack pattern selection criteria for IPS products
- From: Rohit Patnaik
- [Full-disclosure] Attack pattern selection criteria for IPS products
- Prev by Date: Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?
- Next by Date: Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?
- Previous by thread: Re: [Full-disclosure] Attack pattern selection criteria for IPS products
- Next by thread: [Full-disclosure] [USN-847-1] Devscripts vulnerability
- Index(es):
Relevant Pages
|
