Re: Network hardware IPS

From: Stefano Zanero (zanero_at_elet.polimi.it)
Date: 10/07/03

  • Next message: Gary Flynn: "Re: Network hardware IPS"
    To: "Dave Killion" <Dkillion@netscreen.com>, <focus-ids@securityfocus.com>
    Date: Tue, 7 Oct 2003 10:05:44 +0200
    
    

    > Real world example: If I see "cmd.exe" in a URL, I will, every time,
    > detect a malicious act.

    And if someone inserts in their home directory a /cmd.exe/ path you will get
    flooded by false positives. While, if you refer to many other attacks that
    can be spotted into the URL, if the URL is encoded you may miss them, unless
    you make very general signatures... and so on.

    I am not discussing the fact that for some specific signatures, in some
    specific environment, the ROC curve may show a lucky plateau, allowing it to
    improve (up to a point) DR with no (visible) growth of FP. But it's a drop
    in the ocean ;)

    > Fragments vs. packets vs. stream - you need to see it as the victim
    > would. Encoding attacks, fragment overlap attacks, etc - all come out
    > in the wash if you parse it the same as the victim.

    It's been proven that it's not that easy. Please see Thomas H. Ptacek and
    Timothy N. Newsham., "Insertion, Evasion, And Denial Of Service: Eluding
    Network Intrusion Detection," Technical Report, Secure Networks, Inc.,
    January 1998.

    > Polymorphic attacks are very interesting and all, but when it comes down
    > to it, they are a very small minority.

    ADMutate, anyone ?

    > In order to exploit the new DCOM
    > vulnerability, you need to open a REMACT binding. This is hard-coded
    > and can't be morphed.

    Yes. And unfamiliar as I am with the DCOM protocol: isn't REMACT also used
    in the normal operation of the protocol ?

    > There's a variety, but still finite number of
    > ways to make an x86 No-Op slide.

    It's countable, not finite. Hardly the same thing.

    > You *can* reduce FP without
    > impacting DR. If I didn't believe that, I'd not have a job.

    If everyone believed that, I wouldn't have mine ^_^

    Stefano

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------


  • Next message: Gary Flynn: "Re: Network hardware IPS"