RE: On IDS Evasion, Vulnerabilities, and Vendor Hype
From: McCammon, Keith (Keith.McCammon@eadvancemed.com)Date: 10/04/01
- Previous message: Jose Luis Araujo: "Re: "Another" Newbie IDS Question"
- Maybe in reply to: Eric Hacker: "On IDS Evasion, Vulnerabilities, and Vendor Hype"
- Next in thread: Marc Maiffret: "RE: On IDS Evasion, Vulnerabilities, and Vendor Hype"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <BB7FD4FF9E440648A731452E5D341FB0654660@hitsexchange01.advance-med.com> From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: 'Eric Hacker' <hacker@vudu.net>, IDS Focus <FOCUS-IDS@SECURITYFOCUS.COM>, IDS List <ids@uow.edu.au>, bugtraq@securityfocus.com Subject: RE: On IDS Evasion, Vulnerabilities, and Vendor Hype Date: Thu, 4 Oct 2001 09:25:27 -0400
>Recently a disturbing event played out in the IDS world. A security
>company released an advisory regarding the ability to bypass IDS
>signatures. This is disturbing because it conveys the impression that
>otherwise, it was not possible to bypass IDS systems. This is not
>true. IDS, especially Network IDS, is not mathematics. It is more
>like psychology; it is far from perfect.
To my knowledge, this was never implied in any of the advisories, nor was it
the intended message. The advisories were pretty clear regarding the fact
that *this* method could be used to evade an IDS (or several, for that
matter).
>signatures that are supposed to detect those attacks. To release all
>such methodologies as advisories at this stage of maturity in the
>technology is pointless, unless one is seeking publicity.
You are wrong. You are dead wrong. This follows the logic that OS vendors
and the folks at eEye, SF, etc. shouldn't release exploits until *all*
exploits for a given system are known. Full disclosure forces us to look at
things in a different light, and follow one vulnerability to yet another.
And so we patch the new one as well.
>Eeye cast the first stone with their advisory %u encoding IDS bypass
>vulnerability (http://www.securityfocus.com/advisories/3552).
>Certainly the issue that Eeye discovered is an important one and
>needed to be made public. The practice of marketing an organization's
>name through advisories is what is not necessary.
eEye, like just about any other security firm, announced the vulnerability
under their name. This isn't marketing, this gives the report credibility.
This also gives credit where credit is due.
If the release under their name brings in some business, so be it. They do
good work, and they uncovered one of the worst IIS holes to date. I'd hire
'em in a second.
>Customers who fall prey to vendor hype and believe that they have
>bought security.
Not the vendor's fault. Any semi-competent security (or even networking)
professional, knows that security is an on-going process that cannot be
bought.
>The system of trust that vendors release advisories to promote
>full disclosure and not to further their own interests.
How is that a vulnerability? You're not making sense.
>Eric Hacker, CISSP, GCIA, MCSE, CCSE
Nice collection.
Keith
- Previous message: Jose Luis Araujo: "Re: "Another" Newbie IDS Question"
- Maybe in reply to: Eric Hacker: "On IDS Evasion, Vulnerabilities, and Vendor Hype"
- Next in thread: Marc Maiffret: "RE: On IDS Evasion, Vulnerabilities, and Vendor Hype"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
