Re: Wishlist for IPS Products

From: David Maynor (dmaynor_at_gmail.com)
Date: 09/21/04

  • Next message: David Maynor: "Re: Wishlist for IPS Products" 
    Date: Mon, 20 Sep 2004 18:58:15 -0400
To: "idswizard@earthlink.net" <idswizard@earthlink.net>

    Claims don't really mean much to me. After going through the song and
    dance sales pitch of most IPS vendors that claim serious protection
    but instead only offer a false sense of security I am a bit jaded.
    False negatives in Tipping Point are as plentiful as beer in Germany.
    You want an example? Take a jpeg and somewhere in it embed an
    offending guid from ms03-026 or ms03-039. Copy this jpeg between two
    windows machines over file sharing. Viola, tipping point just fired
    the sig over the the pic being copied.

    If they had real protocol parsing this would not be possible.

    On Sat, 18 Sep 2004 10:28:58 -0400, idswizard@earthlink.net
    <idswizard@earthlink.net> wrote:
    > > Only way to do this and not create tons of false postives is true protocol
    > parsing. This knocks out most IPS vendors like Tipping Point.
    >
    > That is an interesting statement. Tipping Point claims to only have one
    > customer experience a false positive and it was based on Chat traffic.
    > During a SANS webcast, Los Alamos National Laboratory seemed to back that
    > data (https://www.sans.org/webcasts/show.php?webcastid=90514).
    >
    > What test(s) have you done showing Tipping Point is prone to false positives
    > based on their signatures/filters?
    >
    >
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    > --------------------------------------------------------------------------
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: David Maynor: "Re: Wishlist for IPS Products"

    Relevant Pages

    • RE: Wishlist for IPS Products
      ... This knocks out most IPS vendors like Tipping Point. ... What testhave you done showing Tipping Point is prone to false positives ...
      (Focus-IDS)
    • Re: Wishlist for IPS Products
      ... carefully making sure the RPC frag size is so small that the target ... get system access and the Tipping Point box does nothing. ... > Can you back your claim that IPS can easily be evaded by fragging ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: Wishlist for IPS Products
      ... Can you back your claim that IPS can easily be evaded by fragging ... This knocks out most IPS vendors like Tipping Point. ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)