Re: Network hardware IPS

From: Stefano Zanero (zanero_at_elet.polimi.it)
Date: 10/07/03

  • Next message: Gary Flynn: "Re: Network hardware IPS"
    To: "Dave Killion" <Dkillion@netscreen.com>, <focus-ids@securityfocus.com>
    Date: Tue, 7 Oct 2003 10:05:44 +0200
    
    

    > Real world example: If I see "cmd.exe" in a URL, I will, every time,
    > detect a malicious act.

    And if someone inserts in their home directory a /cmd.exe/ path you will get
    flooded by false positives. While, if you refer to many other attacks that
    can be spotted into the URL, if the URL is encoded you may miss them, unless
    you make very general signatures... and so on.

    I am not discussing the fact that for some specific signatures, in some
    specific environment, the ROC curve may show a lucky plateau, allowing it to
    improve (up to a point) DR with no (visible) growth of FP. But it's a drop
    in the ocean ;)

    > Fragments vs. packets vs. stream - you need to see it as the victim
    > would. Encoding attacks, fragment overlap attacks, etc - all come out
    > in the wash if you parse it the same as the victim.

    It's been proven that it's not that easy. Please see Thomas H. Ptacek and
    Timothy N. Newsham., "Insertion, Evasion, And Denial Of Service: Eluding
    Network Intrusion Detection," Technical Report, Secure Networks, Inc.,
    January 1998.

    > Polymorphic attacks are very interesting and all, but when it comes down
    > to it, they are a very small minority.

    ADMutate, anyone ?

    > In order to exploit the new DCOM
    > vulnerability, you need to open a REMACT binding. This is hard-coded
    > and can't be morphed.

    Yes. And unfamiliar as I am with the DCOM protocol: isn't REMACT also used
    in the normal operation of the protocol ?

    > There's a variety, but still finite number of
    > ways to make an x86 No-Op slide.

    It's countable, not finite. Hardly the same thing.

    > You *can* reduce FP without
    > impacting DR. If I didn't believe that, I'd not have a job.

    If everyone believed that, I wouldn't have mine ^_^

    Stefano

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------


  • Next message: Gary Flynn: "Re: Network hardware IPS"

    Relevant Pages

    • Re: Network hardware IPS
      ... with it dropping packets (attacks). ... That test revealed something like 8 "vulnerabilities" which were all of the ... > Captus Networks IPS 4000 ... > Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • Linux based HIDS
      ... Attacks on Red Hat Linux OS. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • RE: Network hardware IPS
      ... > all the False Positives he can stomach. ... are going to catch novel or semi-novel attacks using very specific rules ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)