Re: Wishlist for IPS Products

From: David Maynor (dmaynor_at_gmail.com)
Date: 09/21/04

  • Next message: Maarten Van Horenbeeck: "Re: IPS, alternative solutions" 
    Date: Tue, 21 Sep 2004 15:31:52 -0400
To: Tony Carter <tcarter@entrusion.com>

    I work for ISS btw.

    On Mon, 20 Sep 2004 18:49:25 -0400, David Maynor <dmaynor@gmail.com> wrote:
    > No guess. It's a simple recipe. Take one Tipping Point box, one
    > machine that is vulnerable to MS03-026, and a bit on coding knowledge
    > of rpc. I chose 03-026 because due to Blaster it should at be the one
    > exploit it could block. You then manually generate the bind request
    > carefully making sure the RPC frag size is so small that the target
    > guid is in two different packets. Something funny happens. You would
    > get system access and the Tipping Point box does nothing. Nada. Zip.
    > Zilch. While you are issuing commands like 'net user /add hacker' the
    > Tipping Point box stays silent. I scratched my head over this till I
    > realized that it happens because TippingPoint doesn't do protocol
    > parsing, it's the only explanation. Hardly the behavior for an award
    > winning IPS that writes its sigs for the vulnrebility and not the
    > exploit….supposedly.
    >
    >
    >
    >
    > On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter@entrusion.com> wrote:
    > > David,
    > > Can you back your claim that IPS can easily be evaded by fragging
    > > packets? Have you actually tested this or is it your guess?
    > >
    > > -Tony
    > >
    > >
    > >
    > >
    > > On Sep 12, 2004, at 12:29 AM, David Maynor wrote:
    > >
    > > > Yeah....I am gonna go ahead and disagree with you on some of these.
    > > >
    > > >> I have seen a lot of discussion about the differences between IDS,
    > > >> IPS, and firewalls and the potential for convergence, but I do not
    > > >> recall a discussion on the primary features that an IPS should have
    > > >> out of the box.
    > > >>
    > > >> I am thinking of:
    > > >> - Flow Control - limitations on flooding, unused connections, etc...
    > > >
    > > > Most of this should be handled by the signature base.
    > > >
    > > >> - Robust, ACURATE signature base
    > > >
    > > > Only way to do this and not create tons of false postives is true
    > > > protocol parsing. This knocks out most IPS vendors like Tipping Point.
    > > >
    > > >> - Packet capture - no debate on how much before, as that has been
    > > >> covered
    > > >> - Pre-deployment network analysis tools to accelerate deployment
    > > >> - Anomaly detection
    > > >
    > > > Why? I have yet to see a system that is more than a parlor trick.
    > > > Anomaly based system are even easier to evade than sig based systems
    > > > that don't do protocol parsing.
    > > >
    > > > What I would add is better tools for testing. Almost nobody grabs a
    > > > copy of Canvas from Immunity or Impact from Core and actually checks
    > > > what attacks are caught. Further more an even fewer number use modded
    > > > copies of public exploits to see if the claims made by vendors are
    > > > actually true. How many vendor's IPS implementation would actual catch
    > > > a MS03-026 exploit if you frag at the RPC layer at a size like 8
    > > > bytes?
    > > >
    > > > -----------------------------------------------------------------------
    > > > ---
    > > > Test Your IDS
    > > >
    > > > Is your IDS deployed correctly?
    > > > Find out quickly and easily by testing it with real-world attacks from
    > > > CORE IMPACT.
    > > > Go to
    > > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    > > > learn more.
    > > > -----------------------------------------------------------------------
    > > > ---
    > > >
    > >
    > >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Maarten Van Horenbeeck: "Re: IPS, alternative solutions"