Re: Wishlist for IPS Products

From: David Maynor (dmaynor_at_gmail.com)
Date: 09/21/04

  • Next message: David Maynor: "Re: Wishlist for IPS Products" 
    Date: Mon, 20 Sep 2004 18:49:25 -0400
To: Tony Carter <tcarter@entrusion.com>

    No guess. It's a simple recipe. Take one Tipping Point box, one
    machine that is vulnerable to MS03-026, and a bit on coding knowledge
    of rpc. I chose 03-026 because due to Blaster it should at be the one
    exploit it could block. You then manually generate the bind request
    carefully making sure the RPC frag size is so small that the target
    guid is in two different packets. Something funny happens. You would
    get system access and the Tipping Point box does nothing. Nada. Zip.
    Zilch. While you are issuing commands like 'net user /add hacker' the
    Tipping Point box stays silent. I scratched my head over this till I
    realized that it happens because TippingPoint doesn't do protocol
    parsing, it's the only explanation. Hardly the behavior for an award
    winning IPS that writes its sigs for the vulnrebility and not the
    exploit….supposedly.

    On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter@entrusion.com> wrote:
    > David,
    > Can you back your claim that IPS can easily be evaded by fragging
    > packets? Have you actually tested this or is it your guess?
    >
    > -Tony
    >
    >
    >
    >
    > On Sep 12, 2004, at 12:29 AM, David Maynor wrote:
    >
    > > Yeah....I am gonna go ahead and disagree with you on some of these.
    > >
    > >> I have seen a lot of discussion about the differences between IDS,
    > >> IPS, and firewalls and the potential for convergence, but I do not
    > >> recall a discussion on the primary features that an IPS should have
    > >> out of the box.
    > >>
    > >> I am thinking of:
    > >> - Flow Control - limitations on flooding, unused connections, etc...
    > >
    > > Most of this should be handled by the signature base.
    > >
    > >> - Robust, ACURATE signature base
    > >
    > > Only way to do this and not create tons of false postives is true
    > > protocol parsing. This knocks out most IPS vendors like Tipping Point.
    > >
    > >> - Packet capture - no debate on how much before, as that has been
    > >> covered
    > >> - Pre-deployment network analysis tools to accelerate deployment
    > >> - Anomaly detection
    > >
    > > Why? I have yet to see a system that is more than a parlor trick.
    > > Anomaly based system are even easier to evade than sig based systems
    > > that don't do protocol parsing.
    > >
    > > What I would add is better tools for testing. Almost nobody grabs a
    > > copy of Canvas from Immunity or Impact from Core and actually checks
    > > what attacks are caught. Further more an even fewer number use modded
    > > copies of public exploits to see if the claims made by vendors are
    > > actually true. How many vendor's IPS implementation would actual catch
    > > a MS03-026 exploit if you frag at the RPC layer at a size like 8
    > > bytes?
    > >
    > > -----------------------------------------------------------------------
    > > ---
    > > Test Your IDS
    > >
    > > Is your IDS deployed correctly?
    > > Find out quickly and easily by testing it with real-world attacks from
    > > CORE IMPACT.
    > > Go to
    > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    > > learn more.
    > > -----------------------------------------------------------------------
    > > ---
    > >
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: David Maynor: "Re: Wishlist for IPS Products"

    Relevant Pages

    • Location of an IPS
      ... Where should I installed a network-based Intrusion Prevention System (IPS)? ... Is it in front of a firewall or behind it? ... The IPS is a Tipping Point Unity 50. ...
      (alt.computer.security)
    • Re: Wishlist for IPS Products
      ... False negatives in Tipping Point are as plentiful as beer in Germany. ... This knocks out most IPS vendors like Tipping Point. ... > Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)